Forum Discussion
MCAS - Location Field
acebq Hi, I am facing the same challenge, trying to understand / reproduce the alerts on my own. its time consuming to check the high number of impossible travel alerts understanding where is a false positive or is a true one. May i ask you how you do these kind of checks ?
AleA79It's been hard for us as well specially when you've got global locations. I've only been able to reproduce and catch those that are using VPN to anonymize their IP and those that uses our Site-to-Site VPN. I also observed different behaviors when users connect to their OneDrive and results are very inconsistent. I go through them one by one but I try to focus on those unknown connections that generated a lot of suspicious events. I've noticed some IP Addresses are incorrectly resolved which led me to this question years ago. I'm still experiencing inaccuracy from time to time just like yesterday when an IP Address was resolved to be coming from Germany but it was actually coming from Zimbabwe. I'm still testing and observing these events. We've come across some True Positives over the years and have since utilized MFA in most locations to at least lessen our worries when we get overwhelmed with the number of Impossible Travel Activities that comes in. I can't be much help now but I will post here if I discovered anything that can substantially help the community.