Forum Discussion

Copper Contributor

Jan 18, 2021

CAS Impossible Travel Alerts

I would like to ask you some suggestion on: How do you handle Impossible Travels Alerts ? How do you verify alert by alert if is a false positive or if actually is something that you should worry ...

Cloud App Security

AnuragSrivastava

Iron Contributor

AleA79 While analyzing the impossible travel alert, its always advised to check the reputation of the two IPs. For True positive cases, you will generally see the other IP to be blacklisted. In such cases, you should go ahead with resetting of user's password and terminating any active O365 sessions.

You may see False Positives sometimes in case the user is actually travelling and signing from an unsecure network or may be when he uses VPN.

However as per Microsoft documentation, it says that this detection uses a machine learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days during which it learns a new user's activity pattern.

AleA79

Copper Contributor

Jan 20, 2021

AnuragSrivastava Many Thanks! That was my thought , do you have any trusted site where you check the reputation of the IP, i am using some website but honestly i dont know how much i can trust on them

AnuragSrivastava
Iron Contributor
Jan 20, 2021
AleA79 You can refer the below recommended sites to check the reputation:
https://mxtoolbox.com/blacklists.aspx
https://talosintelligence.com/reputation_center
https://dnslytics.com/
https://www.virustotal.com/gui/home/search
https://www.abuseipdb.com/
- maheshcapj
  Copper Contributor
  Jul 13, 2021
  Just to add on top of above
  
  https://exchange.xforce.ibmcloud.com/
  https://ipvoid.com

Forum Discussion

CAS Impossible Travel Alerts

Share

Resources