Forum Discussion

SamLSVM's avatar
SamLSVM
Copper Contributor
Jul 29, 2024

Local IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?

Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some 10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can't be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. 

 

To make sure this also wasn't some kind of correlation to device, I checked the logs further and it's happening where IsManagedDevice == false and even anonymous file access. 

 

Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? 

Sample KQL:

// Query 1
OfficeActivity
| where TimeGenerated >=ago(30d)
| where ipv4_is_private( ClientIP )
| where IsManagedDevice == false
| summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP

// Query 2
OfficeActivity
| where TimeGenerated >=ago(60d)
| where isnotempty( ClientIP ) and ipv4_is_private( ClientIP )
| summarize count() by bin(TimeGenerated, 1d)

 

Data Collection
Log Data
Microsoft Defender for Office 365
siem
  • benjamin-jones's avatar
    benjamin-jones
    Copper Contributor
    Jul 31, 2024
    We see this same data across all of our clients. It almost appears like Onedrive is establishing a VPN-type connection to a microsoft data center, then syncing your files. It appears to only happen during onedrive activities. I'm very curious to see if this is the case.
    • SamLSVM's avatar
      SamLSVM
      Copper Contributor
      Aug 01, 2024

      benjamin-jones 

      That's a good point, we see the same.. FileDownloaded operations are OneDrive, while other operations look like variations of OneDrive user agents or Office, which I imagine is doing the same thing

       

  • ep3p's avatar
    ep3p
    Copper Contributor
    Aug 02, 2024
    This is a bug with certain UserAgents, first it was happening with unmanaged devices, then also with managed devices. Information about the real IP address is being lost, I have opened a support case.
    • bobbybregman2490's avatar
      bobbybregman2490
      Copper Contributor
      Aug 09, 2024

      ep3p : can you update us on the support case?

      we are also seeing this behaviour (also MSSP) at multiple customer sentinel instances.

      but it also seems to happen at the microsoftgraphactivitylogs, see: 

       

  • JoseSebastian's avatar
    JoseSebastian
    Copper Contributor
    Oct 07, 2024
    bobbybregman2490 jmacek

    I have an open support case and Microsoft is taking its time to diagnose and escalate the issue to the proper team (they have asked the same questions 3 or 4 times already). Right now I am with the support engineers of "SharePoint online and OneDrive".
  • vtonu's avatar
    vtonu
    Copper Contributor
    Oct 28, 2024
    I have exactly same issue on my tenant .

Resources