I’ve had some discussions recently with customers who are concerned about the sources of log on attempts for their internet-facing services. As more and more services are opened up to external access, and as customers grapple with the decision to remove multi-factor authentication to improve usability and lower support costs, they begin looking at ways to identify suspicious log on activity.
In the context of Exchange Server this may involve reviewing IIS logs files and analysing the source IP addresses of connections to services such as OWA, ActiveSync, and EWS.
There is a healthy ecosystem of intrusion monitoring and log analysis products on the market, but I wanted to see what can be achieved with a PowerShell approach.
After a little digging around I found two pieces that combine to make a PowerShell solution possible:
- FreeGeoIP.net, a public HTTP API for retrieving IP geolocation information (up to 10,000 queries per hour for free)
- Invoke-RESTMethod, a PowerShell cmdlet for making REST API requests
I created a simple function to perform the lookup and return an object, and built that into a script. You can see the full code on Github.
PS C:Scripts> .Get-IPGeolocation.ps1 18.104.22.168 RegionName : California City : Mountain View TimeZone : America/Los_Angeles CountryName : United States IP : 22.214.171.124 CountryCode : US RegionCode : CA Longitude : -122.084 ZipCode : 94040 MetroCode : 807 Latitude : 37.386
The script itself serves as a demonstration of the function. The function can be easily re-used in larger scripts that are designed to retrieve and parse log file data for IP addresses. I’ve got a few such uses in mind and will probably publish those when they are working.