Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
175 questions
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Is it possible to write a query based on IdentityLogonEvents table to find Azure AD's sign-in or log-on attempts from a foreign country or IP address?
Thanks!
Yes, You can to write a query based on the IdentityLogonEvents table to find Azure AD's sign-in or log-on attempts from a foreign country or IP address.
You can use the Kusto Query Language (KQL) to query your data in Microsoft 365 Defender under Advanced hunting.
IdentityLogonEvents
| where Country != "United States" //replace with your country
| project TimeGenerated, AccountName, IpAddress, LocationDetails.CountryRegion