Atypical travel: no logs in MCAS

%3CLINGO-SUB%20id%3D%22lingo-sub-1890382%22%20slang%3D%22en-US%22%3EAtypical%20travel%3A%20no%20logs%20in%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1890382%22%20slang%3D%22en-US%22%3E%3CP%3EHI%20all%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWe%20often%20encounter%20the%20MCAS%20raises%20the%20alerts%3A%20%22Risky%20sign-in%3A%20Atypical%20travel%22%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20alerts%20us%202%20IP%20addresses%2C%20in%20this%20case%20the%20IP%20where%20the%20user%20is%20normally%20active%20from%20and%20the%20atypical%20IP.%26nbsp%3B%3CBR%20%2F%3EThe%20IP's%20are%20also%20translated%20to%20their%20corresponding%20GEO%20locations.%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F233755i091761EB57D78390%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F233756iDA4CCBC069A148FE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAs%20you%20can%20see%20that%20alerts%20itself%20states%20that%20is%20does%20not%20have%20any%20activities%20that%20correlate%20to%20this%20alert%3F%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20manually%20checked%20the%20activity%20logs%20and%20the%20AZ%20AD%20sign-in%20logs%20for%20any%20reference%20of%20the%20IP%20that%20invoked%20the%20atypical%20travel.%20But%20nothings%20was%20found.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20come%20alerts%20are%20raised%20based%20on%20logs%20that%20are%20not%20to%20be%20found%3F%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%3CBR%20%2F%3ELouis%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1890382%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1909685%22%20slang%3D%22en-US%22%3ERe%3A%20Atypical%20travel%3A%20no%20logs%20in%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1909685%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F585791%22%20target%3D%22_blank%22%3E%40LouisMastelinck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Azure%20AD%20sign-in%20activities%20(Risky%20sign-in)%2C%20Cloud%20App%20Security%20only%20surfaces%20interactive%20sign-in%20activities%20and%20sign-in%20activities%20from%20legacy%20protocols%20such%20as%20ActiveSync.%20This%20would%20explain%20why%20there%20are%20no%20activities%20associated%20with%20the%20alert.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENon-interactive%20sign-in%20activities%20may%20be%20viewed%20in%20the%20Azure%20AD%20audit%20log.%20You%20should%20be%20able%20to%20locate%20the%20original%20alert%20in%20AAD%E2%80%99s%20Risky%20sign-ins%20blade.%20You%20can%20filter%20the%20detection%20type%3A%20Atypical%20travel%20and%20include%20a%20filter%20for%20the%20user%20which%20triggered%20the%20alert.%20AAD%20can%20then%20provide%20you%20with%20additional%20information%20in%20the%20basic%20and%20risk%20info%20details.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1927254%22%20slang%3D%22en-US%22%3ERe%3A%20Atypical%20travel%3A%20no%20logs%20in%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1927254%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F546565%22%20target%3D%22_blank%22%3E%40John_Lewis%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20checked%20your%20input%20and%20indeed%20after%20enabling%20the%20preview%20feature%20in%20azure%20AD%20I%20could%20see%20the%20sign-in%20log%20that%20created%20the%20atypical%20travel%20and%20the%20resource.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EPlacing%20a%20screenshot%20for%20other%20who%20might%20encounter%20this%20question%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22LouisMastelinck_1-1606228421215.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F235765i8DD6EAEB3DDFBD43%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22LouisMastelinck_1-1606228421215.png%22%20alt%3D%22LouisMastelinck_1-1606228421215.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20clarifying%20this.%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

HI all, 


We often encounter the MCAS raises the alerts: "Risky sign-in: Atypical travel"

The alerts us 2 IP addresses, in this case the IP where the user is normally active from and the atypical IP. 
The IP's are also translated to their corresponding GEO locations. 

 
 

image.png

image.png

As you can see that alerts itself states that is does not have any activities that correlate to this alert? 

I have manually checked the activity logs and the AZ AD sign-in logs for any reference of the IP that invoked the atypical travel. But nothings was found. 

How come alerts are raised based on logs that are not to be found?

Kind regards
Louis 

2 Replies

@LouisMastelinck 

 

For Azure AD sign-in activities (Risky sign-in), Cloud App Security only surfaces interactive sign-in activities and sign-in activities from legacy protocols such as ActiveSync. This would explain why there are no activities associated with the alert.

 

Non-interactive sign-in activities may be viewed in the Azure AD audit log. You should be able to locate the original alert in AAD’s Risky sign-ins blade. You can filter the detection type: Atypical travel and include a filter for the user which triggered the alert. AAD can then provide you with additional information in the basic and risk info details.

Hi @John_Lewis 

I checked your input and indeed after enabling the preview feature in azure AD I could see the sign-in log that created the atypical travel and the resource. 

Placing a screenshot for other who might encounter this question:

LouisMastelinck_1-1606228421215.png

 

Thanks for clarifying this. :) 

 

Kind Regards