This event alert seems like it could be useful but we see a lot of false positives that seem to be related to mobile devices. In particular AT&T where users are being reported from Education Hill, WA; we are in Texas. I don't really want to disable the alert as again, I can see where there could be value but anyone else seem this happen and have any other remedies? We have dozens of users that are coming up on the alert (multiple times) and they are all AT&T wireless users.
I’m in the same boat. This alert is a great idea, but so far I only get false positives. I believe the rules need refining.
I also get relentless false positives for impossible travel, this is even more a problem for my environment. We have workers who are travelling non stop all over the world, and this trigger fires constantly.
The error in this rule assumes people only have one device attached to them at all times..