Identity Find Users Multiple Countries Same Day

//Find users who have successfully signed into Azure AD from 3 or more countries in the same day //Data connector required for this query - Azure Active Directory - Signin Logs //Microsoft Sentinel query SigninLogs | where TimeGenerated > ago(7d) | where ResultType == 0 | where isnotempty(Location) | summarize ['Count of countries']=dcount(Location), ['List of countries']=make_set(Location) by UserPrincipalName, bin(TimeGenerated, 1d) | where ['Count of countries'] >= 3 //Advanced Hunting query //Data connector required for this query - Advanced Hunting with Azure AD P2 License AADSignInEventsBeta | where Timestamp > ago(7d) | where ErrorCode == 0 | where isnotempty(Country) | summarize ['Count of countries']=dcount(Country), ['List of countries']=make_set(Country) by AccountUpn, bin(Timestamp, 1d) | where ['Count of countries'] >= 3

Explanation

This query is looking for users who have successfully signed into Azure AD from three or more countries in the same day. It uses different data connectors depending on the platform being used (Azure Active Directory - Signin Logs for Microsoft Sentinel and Advanced Hunting with Azure AD P2 License for the Advanced Hunting query). The query filters the data based on a specific time range, result type, and non-empty location or country. It then summarizes the data by counting the number of unique countries and creating a set of the countries for each user and day. Finally, it filters the results to only include users who have signed in from three or more countries.

Details

Matt Zorich

Released: June 17, 2022

Tables

SigninLogsAADSignInEventsBeta

Keywords

Users,AzureAD,SigninLogs,Location,UserPrincipalName,TimeGenerated,Countofcountries,Listofcountries,AdvancedHunting,AADSignInEventsBeta,Timestamp,ErrorCode,Country,AccountUpn

Operators

where>ago==isnotemptysummarizedcountmake_setbybinwhere>=

KQL Search