Investigate activity based on location
The location of events or alerts can be a key indicator of unusual activity and location should be used as an assistant to an investigation.
There are some things to consider when considering the risks around the location of an event.
What does a location mean?
A location of an event is simply the best effort to resolve the location of an IP through various means.
A note on IPs. The IP address of an event is simply the observed origin of an internet request/command made to the Microsoft network as observed by Microsoft. There may be cases (read on) where the observed location is not the actual origin of a request, but rather an explicit hop in a chain of locations through which the request is being channelled or proxied