This is going to be a quick post about using Splunk to look for anomalous activity in your O365 instance. I occasionally have the need to look for abnormal logins from anywhere outside the United States.
sourcetype=ms:o365:management| table _time,UserId,ClientIP,Operation,ResultStatus,Workload,ObjectId|iplocation ClientIP allfields=true|search Country!="United States"
Of course, this assumes your are sending your O365 logs to Splunk. This search will give me the date & time, User name, IP address, Action Performed (operation), Result Status (Success, fail, etc), Workload (OneDrive, SharePoint, etc), the Object, IP Location information (City, Continet, Country, Region) for any event outside of the United States.
The IP location information is based off Splunk’s own internal database of IP Geo-location information.
This query is great for helping to determine if you need to dive a little deeper to determine if you may have a security incident to deal with.