Process: Generating Report for Working Abroad

Every month Cyber Security need to generate a report of all Successful sign ins from outside the UK & IE.

To generate a report, you will need to do the following:

Open up the KQL query in Sentinel on the 365 tenant - Go to Log Analytics and run query
Click on “Run” if the query did not run
Click on “Export” and then “CSV (displayed columns)”

A screenshot of a computerDescription automatically generated

________________________________________________________________________________

To manually generate the report, you will need to do the following:

1. Go to Microsoft Sentinel on the 365 Tenant and then go to Logs - Microsoft Sentinel - Microsoft Azure

2. Click on “x” on the Queries Hub

A screenshot of a computerDescription automatically generated

3. Paste in this query

SigninLogs

| where TimeGenerated >= ago(30d)

| where Location != "GB"

| where Location != "IE"

| where UserPrincipalName contains "mariecurie.org.uk"

| where ResultType == "0" // Assuming "0" indicates a successful sign-in

| project UserPrincipalName, TimeGenerated, Location, IPAddress, AppDisplayName

| summarize SigninCount = count(), IPAddresses = make_set(IPAddress), FirstSignin = min(TimeGenerated), LastSignin = max(TimeGenerated), AppsAccessed = make_set(AppDisplayName) by UserPrincipalName, Location

| project UserPrincipalName, FirstSignin, LastSignin, Location, SigninCount, IPAddresses, AppsAccessed

4. Click on “Run”

A screenshot of a computerDescription automatically generated

5. Click on “Export” and then “CSV (displayed columns)”

A screenshot of a computerDescription automatically generated