I'm investigating a user's activity using the MS Azure Audit Logs, but I'm really puzzled by what I'm seeing. It shows that this specific user is supposedly jumping between different geo-locations in just seconds, all on the same device ID. I know this can't be right!
These logs are crucial for gathering evidence in this investigation, but if they're unreliable, that poses a big problem. Is there something I'm missing in how I'm interpreting these logs, or should I just disregard them altogether?
5 Answers
Keep in mind that non-interactive logins often show Microsoft IPs. Check the owner of those IPs to ensure you’re getting accurate information. It could be misleading.
In situations like this, non-interactive logs don’t provide much insight. You might want to dive into the Office 365 Activity logs for more solid data. What O365 licenses do you have? That could make a difference too.
There are several reasons a geolocation might change that quickly. If it’s a BYOD (Bring Your Own Device) setup, the user could be using a personal VPN. Alternatively, it might be related to how Microsoft pulls IP details, which can vary based on timing. Have you checked if this is a company device and whether it uses a VPN? Those details are pretty crucial!
Is there a chance the user is working from home using a VPN? That could definitely cause those weird jumps between locations!
This can occur if the user is moving between different Wi-Fi networks, especially on mobile. Cell carriers might route their traffic back to their home country, which can make it look like the user is hopping locations. Essentially, the logs reflect what’s being logged based on the network connections they make!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures