Forum Discussion
CAS Impossible Travel Alerts
I would like to ask you some suggestion on: How do you handle Impossible Travels Alerts ? How do you verify alert by alert if is a false positive or if actually is something that you should worry ...
Question: once the impossible travel alert has been verified as positive, what action if any should then be taken? For example, should a request then be made for the user to chance their password?
TcMcInnis Another good addition would be adding a block countries list (from Azure AD- Security-Named locations) add those countries that you don't have business with and then create a conditional access policy to block access. This way, even for some reason the user credentials are compromised, the attacker won't get access to any of the resources. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location
- Have a look at the user agent for the two sign-in events, if they are the same then there is a good chance it is benign activity and the person is using a VPN, if not then it may require more investigation. If you are using MFA everywhere then sometimes it is worth revoking their token to enforce another sign on to confirm. Actions -> require user to sign back in
- I would say a password change is mandatory at that point in time. As mentioned above, terminating any active sessions would also be recommended. For the folks that happen to be running Azure AD Identity Protection, you could automate some of this using the User and Sign-In Risk policies, which will take the whole risk into account and is mostly automated.
