Knowing when and where a user login was performed is often a good first step to identifying and confirming anomalous behavior in your environment. For example, if all of your users are based in the United States, a successful login from England is logged, then that event is suspicious and should be investigated. GeoIP lookups are what power the identification of these anomalies.
Logged events will typically not perform any GeoIP processing on their own; they simply log the source IP address. This IP address is then extracted and enriched separate from the rest of the logs. Sometimes this process is automated behind the scenes and presented all on one page alongside the actual logged events, as seen below in M365 User Sign-In Logs.
GeoIP lookups work by taking the IP address associated with a specific logged event and processing it against GeoIP lookup databases. GeoIP services maintain databases that map IP address blocks to geographic locations. These are compiled using public registries as well as data contributions from ISPs and other sources. In regards to Microsoft specifically, they use the GeoIP data curated and maintained by their Bing Maps team.
So I have an IP address, how do I perform a GeoIP lookup?
The process of performing your own GeoIP lookup is quite simple. There are many free services online that will perform the lookup for you. All you need to provide is the IP address and the service will provide its best estimate on geographic location. It’s important to keep in mind that many of these are approximations and may be anywhere from hundreds to thousands of miles off. That’s why geoIP lookups are best used as supporting evidence and not definitive evidence of suspicious activity. Something to keep in mind as a red flag as opposed to proof positive when performing your investigation of an event.
Free geoIP services:
*IPLocation actually provides results from many alternate services as well, so this can be handy if you’re trying to aggregate results and see what many services report all at once.
In order to use these services to perform a geoIP lookup, just visit the site and provide the IP address you would like to investigate. Some sites only let you do one IP at a time, others allow you to provide a whole list all at once.
Microsoft 365 User Sign-in Logs
One instance where geoip location data is most crucial is tracking user sign-ins to SaaS platforms, such as Microsoft 365. It’s necessary that platforms like M365 are designed around ease of access by anyone with an internet connection, however, this ease of access applies to malicious actors as well. That’s why it is key to monitor and audit user sign-ins on a regular basis. Even with additional protection like MFA or Conditional Access policies configured, auditing should be performed on sign-in logs to vet and verify that any additional sign-in protection is configured properly and working as intended.
Luckily for us, Microsoft includes geoIP lookup by default alongside AzureAD sign-in logs. These sign in logs can be found by navigating to https://entra.microsoft.com/ > Identity > Users > Sign-in logs.
Make sure to take advantage of the filters as well if you’re looking for a particular event.
If you don’t see location data in these sign-in logs, make sure you have the column showing. Columns can be modified by using the “columns” tab along the top of the sign-logs window.
In cases where you have many different results for a user sign-in event, it is typically best practice to consider the Microsoft 365 sign-in log as the source of truth.
GeoIP lookups are not 100% accurate. IP blocks don’t always map cleanly to geographic boundaries. Services use algorithms and heuristics to provide the best estimate location possible given the public data available. Accuracy also varies by country.
Maxmind has a very informative knowledge base article regarding geolocation accuracy stating, “It is not possible for us to guarantee 100% geolocation accuracy. Accuracy exhibits high variability according to country, distance, type of IP (cellular vs. broadband, IPv4 vs. IPv6), and practices of ISPs. […] With those limitations in mind, we estimate that our GeoIP2 products can identify users at the country level with 99.8% accuracy. For IPs located within the U.S., we estimate around an 80% accuracy at the state/region level, and a 66% accuracy for cities (within a 50km radius of that city).” While these statistics are solely based on their own service, the challenges of geolocation are the same for all of these services.