activity SearchQueryPerformed IP location is from another country

%3CLINGO-SUB%20id%3D%22lingo-sub-244739%22%20slang%3D%22en-US%22%3Eactivity%20SearchQueryPerformed%20IP%20location%20is%20from%20another%20country%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-244739%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Elately%20I%20am%20watching%20the%20audit%20log%20to%20see%20ifthere%20are%20many%20unauthorised%20login%20trials%20from%20IP%20addresses%20which%20are%20geographically%20located%20in%20suspect%20locations%2C%20that%20is%20other%20than%20location%20fro%20mwhere%20these%20accounts%20should%20be%20accessed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20seen%20some%20activities%20with%20name%26nbsp%3B%3CSPAN%3ESearchQueryPerformed%20from%20locations%20other%20than%20normal.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20someone%20know%20what%20these%20are%3F%20and%20why%20the%20IP%20for%26nbsp%3B%20these%20activities%20is%20from%20another%20country%20other%20than%20where%20the%20user%20is%20located%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EChris%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-244739%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-567275%22%20slang%3D%22en-US%22%3ERe%3A%20activity%20SearchQueryPerformed%20IP%20location%20is%20from%20another%20country%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-567275%22%20slang%3D%22en-US%22%3E%3CP%3EAnyone%20have%20an%20answer%20to%20this%3F%20I%20see10's%20of%20%22SearchQueryPerformed%22%20records%20in%20our%20activity%20log%20for%20each%20of%20our%20users%20per%20day.%20All%20the%20IP's%20resolve%20back%20to%20MS.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20issue%20I%20have%20is%20the%20requests%20come%20from%20all%20over%20the%20place%2C%20US%2C%20Canada%2C%20France%2C%20Ireland%2C%20etc.%20but%20all%20of%20our%20users%20are%20in%20the%20US%20and%20I%20can't%20find%20a%20good%20reason%20to%20explain%20what%20this%20is%20and%20why%20it's%20not%20an%20issue%20or%20why%20it%20is%20an%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F113303iE6D632A798A8C51B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290202%22%20slang%3D%22en-US%22%3ERe%3A%20activity%20SearchQueryPerformed%20IP%20location%20is%20from%20another%20country%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290202%22%20slang%3D%22en-US%22%3E%3CP%3EI%20also%20observed%20this%20issue%20can%20anyone%20help%3F%3F%3F%3F%3F%3F!!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-713668%22%20slang%3D%22en-US%22%3ERe%3A%20activity%20SearchQueryPerformed%20IP%20location%20is%20from%20another%20country%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-713668%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F342129%22%20target%3D%22_blank%22%3E%40Orion711%3C%2FA%3E%26nbsp%3BI'm%20seeing%20the%20same%26nbsp%3B%3CSPAN%3ESearchQueryPerformed%20activity.%26nbsp%3B%20All%20IP's%20come%20back%20to%20MS.%26nbsp%3B%20In%20this%20particular%26nbsp%3Btenant%20space%20it's%20only%20for%20one%20user%2C%20which%20I%20can't%20explain.%26nbsp%3B%20Because%20I%20initially%26nbsp%3Bthought%20it%20was%20a%20bad%20actor%20I%20did%20a%20password%20reset%20and%20MFA%20reset%20on%20all%20devices.%26nbsp%3B%20Queries%20continue.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi All,

 

lately I am watching the audit log to see ifthere are many unauthorised login trials from IP addresses which are geographically located in suspect locations, that is other than location fro mwhere these accounts should be accessed.

 

I have seen some activities with name SearchQueryPerformed from locations other than normal.

 

Does someone know what these are? and why the IP for  these activities is from another country other than where the user is located?

 

Thanks!

Chris

3 Replies
Highlighted

I also observed this issue can anyone help??????!!!!

Highlighted

Anyone have an answer to this? I see10's of "SearchQueryPerformed" records in our activity log for each of our users per day. All the IP's resolve back to MS. 

 

The issue I have is the requests come from all over the place, US, Canada, France, Ireland, etc. but all of our users are in the US and I can't find a good reason to explain what this is and why it's not an issue or why it is an issue.

 

Capture.PNG

Highlighted

@Orion711 I'm seeing the same SearchQueryPerformed activity.  All IP's come back to MS.  In this particular tenant space it's only for one user, which I can't explain.  Because I initially thought it was a bad actor I did a password reset and MFA reset on all devices.  Queries continue.