Any documentation on how files are "touched" in O365? (CAS Impossible travel alerts)

%3CLINGO-SUB%20id%3D%22lingo-sub-899882%22%20slang%3D%22en-US%22%3EAny%20documentation%20on%20how%20files%20are%20%22touched%22%20in%20O365%3F%20(CAS%20Impossible%20travel%20alerts)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-899882%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20investigating%20impossible%20travel%20alert%20in%20cloud%20app%20security%20but%20require%20a%20better%20understanding%20of%20how%20files%20are%20%22touched%22%20when%20accessed%20in%20O365.%20If%20there%20is%20documentation%20about%20this%20somewhere%20that%20would%20be%20great!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20instance%2C%20I%20have%20an%20%22impossible%20travel%22%20alert.%20It%20shows%20the%20following%20activities%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3E%22AccessFile%3A%22%3C%2FSTRONG%3E%20(on%20SharePoint)%20from%20the%20%3CSTRONG%3EUK%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Ethen%20at%20the%20%3CSTRONG%3Esame%20timestamp%3C%2FSTRONG%3E%20%3A%3C%2FP%3E%3CP%3E%22%3CSTRONG%3EFileAccessedExtended%3A%3C%2FSTRONG%3E%22%20(the%20same%20file%20on%20SharePoint)%20from%20%3CSTRONG%3EKorea%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThen%20%3CSTRONG%3E%22FilePreviewed%22%3C%2FSTRONG%3E%20from%20a%20%3CSTRONG%3Edifferent%20IP%20but%20also%20in%20Korea%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThen%20%3CSTRONG%3E%22Access%20File%3A%22%3C%2FSTRONG%3E%20(same%20file%20on%20Sharepoint)%20from%20%3CSTRONG%3Ethe%20UK%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20%22%3CSTRONG%3EAccess%20File%22%3C%2FSTRONG%3E%20(Diff%20file%20on%20SharePoint%20but%20on%20the%20same%20SharePoint%20file%20location)%20from%20%3CSTRONG%3ETaiwan%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20these%20activities%20occur%20at%20the%20same%20time%20for%20the%20same%20user.%20Can%20anyone%20help%20explain%2Funderstand%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-899882%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-906423%22%20slang%3D%22en-US%22%3ERe%3A%20Any%20documentation%20on%20how%20files%20are%20%22touched%22%20in%20O365%3F%20(CAS%20Impossible%20travel%20alerts)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-906423%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46448%22%20target%3D%22_blank%22%3E%40Christo%20De%20Lange%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat's%20exactly%20why%20the%20impossible%20travel%20alert%20is%20getting%20triggered.%20You%20can%20adjust%20the%20threshold%20on%20this%20policy%20based%20on%20how%20sensitive%20you%20want%20it%20to%20be.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20italic%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23171717%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20list-style-image%3A%20none%3B%20list-style-position%3A%20outside%3B%20list-style-type%3A%20disc%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%22This%20detection%20identifies%20two%20user%20activities%20(is%20a%20single%20or%20multiple%20sessions)%20originating%20from%20geographically%20distant%20locations%20within%20a%20time%20period%20shorter%20than%20the%20time%20it%20would%20have%20taken%20the%20user%20to%20travel%20from%20the%20first%20location%20to%20the%20second%2C%20indicating%20that%20a%20different%20user%20is%20using%20the%20same%20credentials.%22%3C%2FSPAN%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CFONT%20face%3D%22Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%22%20style%3D%22background-color%3A%20%23ffffff%3B%22%20color%3D%22%23003000%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fanomaly-detection-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fanomaly-detection-policy%3C%2FA%3E%3C%2FFONT%3E%3C%2FI%3E%3CI%3E%3C%2FI%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all 

 

I am investigating impossible travel alert in cloud app security but require a better understanding of how files are "touched" when accessed in O365. If there is documentation about this somewhere that would be great! 

 

For instance, I have an "impossible travel" alert. It shows the following activities:

"AccessFile:" (on SharePoint) from the UK

then at the same timestamp :

"FileAccessedExtended:" (the same file on SharePoint) from Korea

Then "FilePreviewed" from a different IP but also in Korea

Then "Access File:" (same file on Sharepoint) from the UK 

Then "Access File" (Diff file on SharePoint but on the same SharePoint file location) from Taiwan 

 

All these activities occur at the same time for the same user. Can anyone help explain/understand this?

 

Thanks in advance

 

 

1 Reply
Highlighted

@Christo De Lange 

 

That's exactly why the impossible travel alert is getting triggered. You can adjust the threshold on this policy based on how sensitive you want it to be. 

 

"This detection identifies two user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials."

 

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy