Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List Top 10 Users With The Most IP Addresses Used To Successfully Sign-in

Wayne Andes 3 min read

Description

Collect the top 10 user with the most IP used to successfully sign in to a tenant. This KQL query displays the 10 users that have used the most IP addresses so sign in.

False positives can be a VPN that changes IP addresses, which results in a high number of IP addresses used to sign in.

Risk

The risk is that an actor uses an rare IP address to sign into your tenant.

Query

Microsoft Defender For Endpoint
Kusto
AADSignInEventsBeta
| summarize IPsUsed = make_set(IPAddress), locations = make_set(Country) by AccountObjectId
| extend CountIP = array_length(IPsUsed)
| project-reorder CountIP
| top 10 by CountIP

Microsoft Sentinel
Kusto
SigninLogs
| summarize IPsUsed = make_set(IPAddress), locations = make_set(LocationDetails) by Identity
| extend CountIP = array_length(IPsUsed)
| project-reorder CountIP
| top 10 by CountIP

You May Also Like

List On-boarded Devices in Intune and Microsoft Defender for Endpoint

Wayne Andes

Detect Scattered Spider Defense Evasion via Conditional Access Policies

Wayne Andes

List New Active CISA Known Exploited Vulnerabilities

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *