Forum Discussion

LT2024's avatar
LT2024
Brass Contributor
Jan 14, 2020

MCAS IPv6 Recipient Cache False Positive Impossibile Traveller

Hi all,    More of an FYI in case anyone is searching. Started noticing some EXTRA (HA) Impossibile Traveller Alerts. Checked them out and found it was actually a Create Email MCAS Event in the US ...
Cloud App Security
FaustinRoman's avatar
FaustinRoman
Copper Contributor
Jan 22, 2020

LT2024good questions!

For us the service location generating the alert is in US while our Exchange data is hosted in a very different region.

We requested rationale and details for this process as we are concerned about data sovereignty and privacy.

kismat's avatar
kismat
Brass Contributor
Aug 04, 2020

FaustinRoman Hi Faustion

 

Did you ever get a reply to your question regarding data sovereignty and privacy? If so could I possibly ask if you would be kind enough to post the response in this thread please? I ask because we are in exactly the same situation where our data is hosted in a different region to the US as well and it would be great to try and know the reasoning behind alerts getting generated in the US.

 

Many thanks in advance.

  • FaustinRoman's avatar
    FaustinRoman
    Copper Contributor
    Aug 04, 2020
    We got an answer, not sure if really addressed all concerns:
    "We're informed that the Microsoft Internal IP that's being logged by Microsoft Security Cloud Service/App was a service from the back-end that triggers the audit log events itself. That's why it happens every 00:00 UTC standard time when Microsoft generates an audit log.

    We're also informed that the IP was already whitelisted by the MCAS so this should no longer trigger alerts.

    As far as data accessed outside of the region, there were none as the event is only for triggering the audit service."

    You could ask why this event is not triggered from the same region... I leave that to you, let me know how far you get with MS support and if it was worth your time....
    • kismat's avatar
      kismat
      Brass Contributor
      Aug 04, 2020
      Hi Faustin

      Thank you very much for replying. I can say that it doesn't ring quite true what they say about the event only triggering at 00:00 UTC as we have observed these events at different times of the day.

      I will certainly try to follow this up with Microsoft and if I do get any meaningful updates I will post them to this thread. Many thanks again to you.

Resources