Forum Discussion
AleA79
Jan 18, 2021Copper Contributor
CAS Impossible Travel Alerts
I would like to ask you some suggestion on: How do you handle Impossible Travels Alerts ? How do you verify alert by alert if is a false positive or if actually is something that you should worry ...
TcMcInnis
Copper Contributor
Question: once the impossible travel alert has been verified as positive, what action if any should then be taken? For example, should a request then be made for the user to chance their password?
ambarishrh
Jul 02, 2021Iron Contributor
TcMcInnis Another good addition would be adding a block countries list (from Azure AD- Security-Named locations) add those countries that you don't have business with and then create a conditional access policy to block access. This way, even for some reason the user credentials are compromised, the attacker won't get access to any of the resources. Conditional Access - Block access by location - Azure Active Directory | Microsoft Docs
- m_zorichJul 03, 2021Iron ContributorHave a look at the user agent for the two sign-in events, if they are the same then there is a good chance it is benign activity and the person is using a VPN, if not then it may require more investigation. If you are using MFA everywhere then sometimes it is worth revoking their token to enforce another sign on to confirm. Actions -> require user to sign back in