Query Details
Graph Activity From Other Ip Address
Query
// Microsoft Graph Activity from IP Address which is different from sign-in MicrosoftGraphActivityLogs | project TimeGenerated, RequestId, ApiVersion, RequestMethod, ResponseStatusCode, ActivityIpAddress = IpAddress, UserAgent, RequestUri, Roles, AppId, Wids, SignInActivityId | join kind=inner (union AADServicePrincipalSignInLogs, AADManagedIdentitySignInLogs | project ConditionalAccessPolicies, ConditionalAccessStatus, ServicePrincipalCredentialKeyId, SignInIpAddress = IPAddress, UniqueTokenIdentifier, Type ) on $left.SignInActivityId == $right.UniqueTokenIdentifier | where ActivityIpAddress != SignInIpAddress and SignInIpAddress != ""
Explanation
This query retrieves Microsoft Graph activity logs where the IP address used for the activity is different from the IP address used for signing in. It also joins the logs with sign-in logs for Azure Active Directory service principals and managed identities. The query filters out any records where the activity IP address is the same as the sign-in IP address or if the sign-in IP address is empty.
Details
Thomas Naunheim
Released: October 15, 2023
Tables
MicrosoftGraphActivityLogsAADServicePrincipalSignInLogsAADManagedIdentitySignInLogs
Keywords
MicrosoftGraphActivityLogs,TimeGenerated,RequestId,ApiVersion,RequestMethod,ResponseStatusCode,ActivityIpAddress,UserAgent,RequestUri,Roles,AppId,Wids,SignInActivityId,AADServicePrincipalSignInLogs,AADManagedIdentitySignInLogs,ConditionalAccessPolicies,ConditionalAccessStatus,ServicePrincipalCredentialKeyId,SignInIpAddress,UniqueTokenIdentifier,Type
Operators
projectjoinunionwhere