I’ve had some discussions recently with customers who are concerned about the sources of log on attempts for their internet-facing services. As more and more services are opened up to external access, and as customers grapple with the decision to remove multi-factor authentication to improve usability and lower support costs, they begin looking at ways to identify suspicious log on activity.

In the context of Exchange Server this may involve reviewing IIS logs files and analysing the source IP addresses of connections to services such as OWA, ActiveSync, and EWS.

There is a healthy ecosystem of intrusion monitoring and log analysis products on the market, but I wanted to see what can be achieved with a PowerShell approach.

After a little digging around I found two pieces that combine to make a PowerShell solution possible:

  • FreeGeoIP.net, a public HTTP API for retrieving IP geolocation information (up to 10,000 queries per hour for free)
  • Invoke-RESTMethod, a PowerShell cmdlet for making REST API requests

I created a simple function to perform the lookup and return an object, and built that into a script. You can see the full code on Github.

PS C:Scripts> .Get-IPGeolocation.ps1 8.8.8.8


RegionName  : California
City        : Mountain View
TimeZone    : America/Los_Angeles
CountryName : United States
IP          : 8.8.8.8
CountryCode : US
RegionCode  : CA
Longitude   : -122.084
ZipCode     : 94040
MetroCode   : 807
Latitude    : 37.386

The script itself serves as a demonstration of the function. The function can be easily re-used in larger scripts that are designed to retrieve and parse log file data for IP addresses. I’ve got a few such uses in mind and will probably publish those when they are working.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. KP

    Hello Paul,
    I tried your script from the Github looks like FreeGeoIP.net is no longer letting you use api calls without a key, could you please check and update the script to include the api key ? Thanks a lot.

  2. Dave Redford

    You now need an API key for this to work and it’s limit is 10000 per month as of Jan 2021.

  3. Rich

    Edit ^^^^^ this is for a list of IPs. Not raw logs, but pulling IPs not to rough.

  4. Rich

    Why bother with REST? This does just as well:

    (edit: removed code)

    1. Avatar photo
      Paul Cunningham

      I’ve removed your code because it breaks the layout of the page.

      But why bother with REST? Why not? Why bother with your method? Why bother with any “method A” if “method B” also works?

      There are many ways to do any task in PowerShell. If you think your method is better for some reason, then explain why. Publish your code somewhere, write a blog post. Showing a different bit of code with no clarification is not very helpful to anyone.

      1. Tim Woods

        Excellent comment.

  5. Ilya Kutsev

    Great script Paul!

    Paul, do you have any expirience about searching messages/appointments using EWS API ?
    I read many articles about it but still cannot finish my task (I need to find all recurring appointments).

    Than I found a seems like working script, but it requires exchange API DLL’s. Well, I cannot understand where to find them.
    Can you advice something?

    Link for that script:
    http://blogs.msdn.com/b/emeamsgdev/archive/2015/02/25/powershell-search-for-appointments.aspx

    1. Avatar photo
      Paul Cunningham

      It’s the EWS Managed API you’re looking for. Can be downloaded from Microsoft.

      1. Ilya Kutsev

        Thanks Paul!
        I should think better about it before asking )

Leave a Reply