Avoid using appendcols and transaction in search that really do not require them. Use stats (index=msazure* operationName="Sign-in activity" "properties.appliedConditionalAccessPolicies{}.enforcedGrantControls{}"=Mfa sourcetype="azure:aad:signin" "properties.authenticationDetails{}.authenticationStepResultDetail"="MFA successfully completed" properties.mfaDetail.authMethod="*" properties.ipAddress="*" properties.userPrincipalName=testuser* NOT properties.networkLocationDetails{}.networkNames{} IN ("xxIPs", "yyIPs")) OR (index=msvpn app="ssl:vpn" http_user_agent="xxx*" user=testuser* src_ip=*)
| eval mfa_src_ip = if(index=msazure,properties.ipAddress,"")
| eval vpn_src_ip = if(index=msvpn,properties.ipAddress,"")
| stats latest(mfa_src_ip) AS mfa_src_ip latest(vpn_src_ip) AS vpn_src_ip by user
| iplocation prefix=mfa_ mfa_src_ip
| iplocation prefix=vpn_ vpn_src_ip 1st block - get all you're data (index=mfa) OR (index=vpn) 2nd block - eval new IPs fields base on their origin 3rd block - use stats to get the fields you want 4th block - do the ip location for both IPs This is a bit simplified but I think you can get the idea
... View more