Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
How to use Azure Sentinel to follow a Users travel and map their location
Published Nov 04 2019 02:07 PM 25.5K Views
Microsoft

This post is in two parts.

1. Workbook import instructions

2. The finished workbook

 

UPDATE - September 2020: 
There have been some updates since 2019 to the map controls, so you may need to edit the Map Settings fields and sometimes the Latitude and Longitude entries. 

 

or

 

I have now updated the Workbook, so please download the latest version from the Github.  The Map Control should now work as expected, I also took the opportunity to update the workbook to the latest best practices and techniques.   You'll now notices it uses Tabs to separate the data and has Help and Change control information.  I also added a toggle for Kilometers vs. Miles.

The option "Add a manual entry" was the original behavior (now option #3) - this is now an ad-hoc entry option. 

I think most uses will use Azure Active Directory (AAD - option #2) to get a dynamic list (if you have that data source); 

or the new option #1 to have a list of their preferred locations, requires a workbook edit. 


You can see the built-in help in this picture
So please download, look at the help file (just press the Help toggle, after you import the workbook).

UserMapHelp.jpg

 

 

 

I have created the workbook for you, so you just need to import it, using these instructions:

 

1. Workbook Import Instructions. 

 

Create a NEW workbook

clipboard_image_0.png

 

Enter into the Advanced Editor by pressing this button.

clipboard_image_1.png

 

Note: Please delete the current info between the {  and  }.

 

You can find the related Workbook in the Sentinel GitHub, it’s called “UserMap.json”:

 

https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks

 

clipboard_image_2.png

 

Use the RAW button, then select all the text (CTRL-A), then copy (CTRL-C) and paste into the Advanced Editor pane.

 

The press Apply and remember to SAVE it (if you like it).

 

2. The finished Workbook

Note: 

“Please check you local or country policies on personal data handling before using this solution,and ensure you gain any necessary consent”


You should now see the same World Map as per my last post. https://techcommunity.microsoft.com/t5/Azure-Sentinel/How-to-use-Azure-Monitor-Workbooks-to-map-Sent...

 

The KQL explained

This query relies on you having data in the Azure SigninLogs table. https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory

 

clipboard_image_3.png

Now we can also track people (assuming you have longitude and latitude info in the table).  I have added an extra drop down dialog box so you can select your user from a list. We then use that users name to find where they logon . 

Note: SigninLogs

location info is affected by your network, so you may see some inaccuracies depending on VPNs etc…

On the right I also mapped the locations again (as per the last blog post).

clipboard_image_4.png

 

The Query used for the table on the left is (see query below, it is the example actually used in the workbook so wont work in Log Analytics ‘as is’ find a Log Analytics compatible version us this link (it wont run as our demo tenant doesn't have the required Table)

Go to Log Analytics and see the Query

 

Query Summary:

This query, grabs a few bits of data early on, like the Longitude and Latitude, City and State etc..

I then make use of the Prev() function to get the PREVious latitude and longitude (for the first location, that gets called “FirstLocation” as it doesn't have previous data. 

We then use geo_distance_2points again to compare the users last location to the current and calculate that in miles (replace with KM if you prefer).  I also remove any logons for the same location (this maybe useful to see – just comment out the line, starting with: where distance_in_miles !="0.0"

I finish by summarizing the data, and using a strcat to merge some columns (also taking the opportunity to add some Icons/Emojis).

 

KQL that works in my Azure Monitor Workbook 

 

 

 

 

 

SigninLogs
//| where UserDisplayName == "  "
| extend city_  = tostring(LocationDetails.city) 
| extend state_ = tostring(LocationDetails.state) 
| extend countryOrRegion_ = tostring(LocationDetails.countryOrRegion) 
| extend latitude_  = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) 
| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) 
| order by TimeGenerated asc , city_ asc
| serialize 
| extend pLat = prev(latitude_,1)
| extend pLon = prev(longitude_,1)
| extend distance_in_miles = iif(isnotempty(pLat),tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/1609.344 ,2)),"FirstLocation")
| where distance_in_miles !="0.0"
| summarize count() by bin(TimeGenerated, 24h),
                    //   UserDisplayName,
                       userNameLocation = strcat(UserDisplayName,"  " ,city_ , " ️ ",
                       countryOrRegion_),
                       visit_order = strcat(row_number(), ".",city_),
                       MilesTravelled=distance_in_miles
                    //   latitude_,
                    //   longitude_
| project-away count_
| order by TimeGenerated asc, visit_order asc

 

 

 

 

 

 

 

You should now be able to select a User then see their travel information / miles moved.

 

clipboard_image_5.png

This is the same view (see below table) but run in Log Analytics.  Please take a look the data (if you have it) and this is just one example of how you can use it.

 

clipboard_image_6.png

 

12 Comments
Copper Contributor

Hi @CliveWatson,

 

I'd send a issue to Github for this workbook, https://github.com/Azure/Azure-Sentinel/issues/747

 

Thanks!

Brass Contributor

Hello @CliveWatson ...It seems the dropdown limits to 1000 values currently (For example, UserData tab- SelectUser dropdown). Is there any way to increase the limit by chance?

Microsoft

Hi,

 

I was planning to add an extra filter, it looks like this example:

 

userMapv1-3demo.gif

 

It wont increase the 1000 limit but:

1. You can see how many users you have retuned.  And I display an error if >= 1000 are seen! 

2. You can switch to a mode, "Select User by Letter", where you can search by initial letter (and see the count of those) - I appreciate its possible to have 1000 people with the same first letter of their name, but it gives at lot more room

 

 

What do you think?


@AlphaBetaGamma PM me if you would like to test a copy?

Microsoft

...and now with free text search, as an option:

 userMapv1-3ademo.gif

Brass Contributor

This is really cool. This free text search option is exactly what we have in mind and needed. Thank you @CliveWatson 

Microsoft

Azure-Sentinel/UserMap.json at master · Azure/Azure-Sentinel (github.com)  has just bee approved into the Azure Sentinel Github 

Iron Contributor

Is there a way to convert userdisplayname from it's service principal value to the human name?

I've seen some incidents in Sentinel where the human name is shown, but the analytic kql doesn't present any logic that the userdisplayname has been converted to human form?

Microsoft

If you run a search on SignnLogs, there are three columns that have name, are you asking for Identity or UserPrincipalName to also be used, can you provide an example?

 

SigninLogs
| project UserDisplayName, Identity, UserPrincipalName


Results example
UserDisplayName | Identity | UserPrincipalName
Clive W, Clive W, Clive@anemailname.com

Copper Contributor

Having a hard time putting this in a Sentinel book, keep running into this error when click Done Editing.

HathMH_0-1681510570269.png

 

 

 

Bronze Contributor

What are you trying to do when you get the error?  If you are taking the JSON from GitHub, make sure you select RAW, before copying the text.

Clive_Watson_1-1681552552934.png

 

  User Map is now a Template in Sentinel - so to install all you need to do is:  Sentinel --> Workbooks --> Templates - find "User Map" and then SAVE it.

Clive_Watson_0-1681552465269.png

 

Copper Contributor

Sir,

I did do RAW, and then copied the text.
Went into Sentinel > My Workbook > Add Workbook > Advanced Editor
Into text box and pasted the copy from RAW screen

HathMH_0-1681739377591.png

 

Click Done Editing , get error

HathMH_1-1681739416923.png

 

Happens with any of the workbooks I try from that git repo

I've only recently uncovered what github is. I'm new to cyber, and I'm not a developer so saw no need of it for me until recently, when I started looking into pen test and kali.
I admit, I am new to github, still learning it basically from step 1; but I dont think I can mess up a copy paste. Unless I am pasting in wrong spot?

Bronze Contributor

It looks from the 2nd screen shot you are pasting the JSON file contents into a Workbook Text box.

 

You need to use this button:

Workbooks --> "Add Workbook" --> Edit --> Advanced Editor 

Clive_Watson_1-1681741825445.png

 

rather than going into one of the Text boxes within the Workbook and using that "Advanced Editor" - there are two named the same! 

 

Workbooks --> "Add Workbook" --> Edit --> Edit -- Advanced Editor 

Clive_Watson_2-1681741862297.png

 

 

Version history
Last update:
‎Nov 02 2021 05:43 PM
Updated by: