IIn this short video, we show you how to easily see and monitor successful login attempts to Office 365 coming from outside the United States. Although employee logins from outside the US are increasingly common, this monitoring feature is useful for maintaining GDPR compliance and remediating suspicious or indirect logins from VPN outlets. Below, we describe step-by-step how to quickly create this custom query on the Avanan platform.
1. Click "ANALYTICS" from the menu on the left side of the platform's home page. A dropdown menu will appear.
2. Click "Custom queries" at the bottom of the dropdown menu.
3. On the new page, click the blue "Add new query" button at the top right of the screen.
4. From the "QUERY TEMPLATES FOR OFFICE 365 EMAILS" at the top of the screen, click "Show recent login events" at the bottom of the O365 dropdown.
5. On the new page, look at the "Country" column. To activate filtering options, hover the mouse over "United States." Click the check mark to only show logins where the country is not the United States.
6. Look at the "Status" column to the left. Hover the mouse over "Succeeded," and click the filter to only show logins that were successful. Now, this query only shows successful logins outside the US.
7. To save the query, click the white "Query" box at the top left of the screen, then click "Save as."
8. Name the query, select a severity level, choose a tag, assign an alert to a member at your organization, and then click the red "Ok" button to save the custom query.
9. Return to the dashboard homepage by clicking the AVANAN logo at the top left of the screen.
10. Look at the five widgets at the top of the screen. Click the small gear symbol at the top right of any widget, and click "Replace with Custom query."
11. To name the top and bottom parts of the widget, click the gear. Select "Configure Top Widget," then name and save the widget so that it will appear on the dashboard home screen. Repeat for the bottom widget.
12. You can now monitor Successful Logins from Outside the US from your security events dashboard.