How do I find a user's last known IP Address if they've never posted to the site?

Question

In the Verint reporting for February 2023, we had a user that had a view count of over 3,000,000 associated with them. This looks like the user that registered onto the site was using it to scrape the website. 
 This user has not posted anything to the site. They have only registered (2 years ago) and recently used the account to potentially scrape the site. 
 Disapproving their account is only a small step that can be taken, but ideally it needs to be an IP ban. 
 As an administrator with access to the admin' section of the site, and potentially using velocity script in a sandbox, how do I find out the user's IP address so that I can add them to the banned IP address list?

Ben Tiedt · Answer

Christopher G. Stanton said: Unless you're saying this will recreate audit logs from some deeper logging mechanism? 
 There is not a hidden underlying mechanism. The audit logs, as shown, represent all of the data currently available. 
 Christopher G. Stanton said: I'm open to suggestions where we could search within any logs to surface this information for those hosted on an Azure instance. 
 If you can identify unique user agent data or a more recent IP, you may be able to find related requests in web server logs. 
 For bots, access is often across multiple IPs but, the usage (URLs accessed or for spidering, the original URL) or other HTTP header data may show unique similarities that can be used to implement an appropriate block.

Christopher G. Stanton · Answer

Ben Tiedt said: If you can identify unique user agent data or a more recent IP, you may be able to find related requests in web server logs. 
 
 As a site administrator that's not something I have direct access to unfortunately, which's why I am looking for logging inside the site itself. 
 It would make more sense to me if the site kept a record of "last known login/registration IP address" against the user profile that administrators could view, and that this kept separately a record of last known impersonated user IP address too. I'm surprised this isn't the case and it's only in an audit log which expires. 
 Ben Tiedt said: For bots, access is often across multiple IPs but, the usage (URLs accessed or for spidering, the original URL) or other HTTP header data may show unique similarities that can be used to implement an appropriate block. 
 Indeed you're not wrong with typical bot activity, though if this was a malicious individual user, which can be the case sometimes, it would only be the one. 
 Ben Tiedt said: There is not a hidden underlying mechanism. The audit logs, as shown, represent all of the data currently available. 
 
 Shame they're so time limited. 
 As there doesn't appear to be a suitably good answer to: 
 Christopher G. Stanton said: As an administrator with access to the admin' section of the site, and potentially using velocity script in a sandbox, how do I find out the user's IP address so that I can add them to the banned IP address list? 
 Within the required time frame I've raised this as an idea: 
 Record the last known User's IP address in the user's profile for administrators and moderators

How do I find a user's last known IP Address if they've never posted to the site?

Top Replies