Local IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some 10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can’t be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention.
To make sure this also wasn’t some kind of correlation to device, I checked the logs further and it’s happening where IsManagedDevice == false and even anonymous file access.
Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream?
Sample KQL:
// Query 1
OfficeActivity
| where TimeGenerated >=ago(30d)
| where ipv4_is_private( ClientIP )
| where IsManagedDevice == false
| summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP
// Query 2
OfficeActivity
| where TimeGenerated >=ago(60d)
| where isnotempty( ClientIP ) and ipv4_is_private( ClientIP )
| summarize count() by bin(TimeGenerated, 1d)
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some 10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can’t be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. To make sure this also wasn’t some kind of correlation to device, I checked the logs further and it’s happening where IsManagedDevice == false and even anonymous file access. Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? Sample KQL:// Query 1
OfficeActivity
| where TimeGenerated >=ago(30d)
| where ipv4_is_private( ClientIP )
| where IsManagedDevice == false
| summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP
// Query 2
OfficeActivity
| where TimeGenerated >=ago(60d)
| where isnotempty( ClientIP ) and ipv4_is_private( ClientIP )
| summarize count() by bin(TimeGenerated, 1d) Read More
