Showing Azure AD Sign-in locations in a world map

 "We need an overview showing from where people are logging on to our Microsoft Cloud environment."  This requirement came up as part of a project.And the first approach was to use the features that are directly available in Microsoft Cloud solutions:

Azure AD Sign-In Logs:

Here, however, came the request to display this info on a world map to visually see where the login-ins came from. Cloud App Security offers this feature as a standard feature on the dashboard (https://portal.cloudappsecurity.com/#/dashboard).

Cloud App Security:

However, the Cloud App Security feature is not available in all license bundles, and the dashboard can only be filtered by the apps used.

Solution

The Azure AD sign-in logs are also available as a workbook template in Azure Sentinel. And this workbook template can be customized / extended:

To add a world map to the standard workbook with the regions from which the accesses occurred, the following steps are necessary:

• Azure Sentinel -> Workbooks -> Azure AD Sign-in logs -> View saved Workbook. (See screenshot above)
• In the upper left pane, "Select Edit" and then on the "Sign-ins by Location" report, select the "Edit" option for that report:

• In the edit mode the button "Add -> Add Query" is available. In the new query that is created, copy the text from the query "Sign-ins by Location" and select "Map" as visualization:

• The values for "Location Info using" and "Country/Region field" in the Map Settings must be configured at least:

• Result:

The workbook and therefore the map can now be filtered by the following values:

• TimeRange
• Apps
• Users
• Category (Sign-in Logs / Non interactive sign-in logs)

Related topics

• Azure AD activity logs (not Azure AD sign-in logs) can be used in Azure Monitor to use the data in Splunk or QRadar:
• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor
• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics
• When access to Azure resources is important, the Azure Network Watcher can be used. Based on Azure Network Security Group, it is not only possible to see which accesses are taking place. Rules can also be created to control accesses or accesses can be blocked. Details:
• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-network-security-hygiene-with-traffic-analytics/ba-p/2282377
• https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

The Traffic Analytics feature focuses on the following scenarios: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

• Visualize network activity across your Azure subscriptions and identify hot spots.
• Identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and virtual machines (VM) connecting to rogue networks.
• Understand traffic flow patterns across Azure regions and the internet to optimize your network deployment for performance and capacity.
• Pinpoint network misconfigurations leading to failed connections in your network.