Forum Discussion

fishermc's avatar
fishermc
Copper Contributor
Feb 18, 2019
Solved

Azure Log search - Login search question

With having the ability to search sing-in logs I am trying to figure out the correct query for the following. I want to search for when a single account signs in from multiple IPs. My end goal here i...
azure monitor
Query Language
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Feb 19, 2019

    Hi,

    I do not have Azure AD logs in my env but I can simulate the same thing via Azure Activity logs. The most basic query is this:

    AzureActivity 
| extend httpdata = parse_json(HTTPRequest) 
| summarize AggregatedValue = dcount(tostring(httpdata.clientIpAddress))  by ResourceId

    Don't mind the usage of parse_json that is specific for that log. The most important to notice is that I use dcount() and  count it by Resource Id. In your case inside dcount will be the column of the IP address and ResourceId for you will be the user name. You will not get a list of which are IPs but you will get their count. This is the most basic query that should work for the most basic number of results alert.

     

    Mark this reply as answer if it has helped you.

Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Feb 19, 2019

Hi,

I do not have Azure AD logs in my env but I can simulate the same thing via Azure Activity logs. The most basic query is this:

AzureActivity 
| extend httpdata = parse_json(HTTPRequest) 
| summarize AggregatedValue = dcount(tostring(httpdata.clientIpAddress))  by ResourceId

Don't mind the usage of parse_json that is specific for that log. The most important to notice is that I use dcount() and  count it by Resource Id. In your case inside dcount will be the column of the IP address and ResourceId for you will be the user name. You will not get a list of which are IPs but you will get their count. This is the most basic query that should work for the most basic number of results alert.

 

Mark this reply as answer if it has helped you.

fishermc's avatar
fishermc
Copper Contributor
Feb 19, 2019
Thanks for the help, that got me the count and will work.

One last question. Using the method you gave me I get the total count of different IPs the sign-ins are coming from for a user, is there a way to also display the actual IPAddresses and not just the user and count?

Here is what I got that gives me the count, can something be added that shows the IPs related to the aggregatedvalue?

SigninLogs
| where ResultType == "0"
| summarize AggregatedValue = dcount(IPAddress) by UserPrincipalName
| where AggregatedValue > 5

  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    MVP
    Feb 19, 2019

    Hi,

    That is possible as well but you need to verify if the alert will work. Alerts require specific things like AggregatedValue for example.

    The example query will be:

    AzureActivity 
| extend httpdata = parse_json(HTTPRequest) 
| summarize IpList = makeset(tostring(httpdata.clientIpAddress))  by ResourceId
| extend AggregatedValue = array_length(IpList) | sort by AggregatedValue desc

    In your case:

    SigninLogs
| where ResultType == "0"
| summarize IpList = makeset(IPAddress)  by UserPrincipalName
| extend AggregatedValue = array_length(IpList) 
| where AggregatedValue > 5
    • fishermc's avatar
      fishermc
      Copper Contributor
      Feb 19, 2019
      Perfect that worked. Thank you very much!

Resources