Forum Discussion
Duplicate alerts generated when unsanctioned app is accessed
GuidoImpe Please take a look at screenshots attached.
I am pretty sure they are separate alerts for the same activity in process tree.
First occurance of "Network Filter Lookup Service blocked chrome.exe from accessing https://img.freepik.com" and "[18500] chrome.exe established
Outbound connection from 10.153.1.29:60961 to 23.221.212.196:443
Observed Device: Unknown device" generated one alert "Connection to a custom network indicator"
Second occurance of "Network Filter Lookup Service blocked chrome.exe from accessing https://www.freepik.com" and "[18500] chrome.exe established
Outbound connection from 10.153.1.29:60966 to 23.204.115.183:443
Observed Device: Unknown device" generated second alert "Connection to a custom network indicator" which is expected as they are connecting to different IPs.
Then "chrome.exe has initiated a TLS connection to https://www.freepik.com" and "[18500] chrome.exe established
Outbound connection from 10.153.1.29:60966 to 23.204.115.183:443
Observed Device: Unknown device" also generated alert "Unsanctioned cloud app access was blocked"
Most examples I have include a pair of alerts for same activity, and this one example is odd because it includes duplicate for one alert,and no duplicate for another alert.
But on process_tree.png Outbound connection have a different public ip so i think duplicate connection and alert is for this reason, i don't know if chrome point to different public ip to recognize the same website but i confirm that alert is generated for this.
To be sure of this i suggest to open a case in Microsoft Directly
Regards,
Guido