This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 15%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
Hi everyone, while learning about both Azure Cloud Security and Microsoft 365 Defender, I have come up to a question: Is it possible to write a Kusto query in Advanced Hunting tab from Microsoft 365 Defender to identify foreign IP addresses and foreign countries from Azure Sign-Ins Log, and let that query scan the data at a time period, such as 10-hour, 24-hour, 2-day, 7-day, etc. Thank you in advance!
Hi @Khoa Tran , yes this is possible. Here's an example query:
SigninLogs
| where TimeGenerated >= ago(24h) // Set the time period here (e.g., 24h for the last 24 hours)
| extend Country = LocationDetails.countryOrRegion, IPAddress = IPAddress
| where Country != "YourCountry" // Replace "YourCountry" with the country you want to exclude
| summarize count() by Country, IPAddress
| sort by count_ desc
This query retrieves sign-in logs from the last 24 hours, extracts the country and IP address, filters out sign-ins from a specific country, and then groups and counts the sign-ins by country and IP address. You can adjust the time period by changing the value in the ago() function. Remember to replace "YourCountry" with the country you want to exclude from the results.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James
Thank you so much!