We have been using splunk to help monitor compromised email accounts by looking for logins from countries other than the ones we operate in. I know this insn't a foolproof method but it gives us a good start. Last friday our queries stopped working altogether. I suspect that microsoft changed something. Has anyone else run into this and know a fix?
index=INDEXNAME earliest=-24h sourcetype="ms:o365:management" Workload=AzureActiveDirectory Operation=UserLoggedIn | fields _time, user, src_ip | iplocation src_ip | addinfo | where _time>relative_time(info_max_time, "-24h") | where Country!="redacted" AND Country!="redacted" AND Country!="redacted" | stats latest(_time) values(user) count by Country | rename latest() as * | rename values() as * | sort - _time | fieldformat _time=strftime(_time, "%Y-%m-%d %H:%M")
... View more