User Profile

fishermc

Copper Contributor

Joined Feb 18, 2019

5 Posts

View All Badges

User Widgets

Recent Discussions

Azure Log search - Login search question
With having the ability to search sing-in logs I am trying to figure out the correct query for the following. I want to search for when a single account signs in from multiple IPs. My end goal here is to create a search query that will run say every 15 mins and alert when a user account has been logged in from multiple IP addresses over a specified time frame. My goal is to use this to help pick up on compromised accounts quicker. I know how to setup the alerting part with a query, im just stuck at how to write the part that only picks up when multiple IPs are used....or if its even possible. I don't care if there are multiple sign-ins from the same IP in this scenario, just when different IPs are used for the same user account. User "bob" signs in from IP x.x.x.1 and two mins later x.x.x.2 and then 5 mins later x.x.x.3. I want to know about this and trying to figure out a way how using a query of the sign-in logs. Thanks
Solved
Apr 07, 2022 Place Azure Observability
azure monitor
Query Language
3.1KViews
0likes
4Comments
Re: Server core event logs
Just curious if happen to know when that future release might be? Something like or 1 or 2 months or as long as a year? Thanks for the response to the initial question.
Apr 22, 2021 Place Microsoft Sentinel
2.1KViews
0likes
1Comment
Server core event logs
I have been using the Log Analytics agent to get on-premise server event logs into Sentinel and all has gone well with the exception for Server core boxes. Server Core isn't listed as supported ( https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#log-analytics-agent) so was wondering what is the best way to get server core logs over into Sentinel.
Solved
Apr 15, 2021 Place Microsoft Sentinel
2.3KViews
0likes
3Comments
Re: Azure Log search - Login search question
Perfect that worked. Thank you very much!
Feb 19, 2019 Place Azure Observability
2.8KViews
0likes
0Comments
Re: Azure Log search - Login search question
Thanks for the help, that got me the count and will work. One last question. Using the method you gave me I get the total count of different IPs the sign-ins are coming from for a user, is there a way to also display the actual IPAddresses and not just the user and count? Here is what I got that gives me the count, can something be added that shows the IPs related to the aggregatedvalue? SigninLogs | where ResultType == "0" | summarize AggregatedValue = dcount(IPAddress) by UserPrincipalName | where AggregatedValue > 5
Feb 19, 2019 Place Azure Observability
2.9KViews
0likes
2Comments

Recent Blog Articles

No content to show