CAS Impossible Travel Alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-2071742%22%20slang%3D%22en-US%22%3ECAS%20Impossible%20Travel%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2071742%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20ask%20you%20some%20suggestion%20on%3A%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20you%20handle%20Impossible%20Travels%20Alerts%20%3F%3C%2FP%3E%3CP%3EHow%20do%20you%20verify%20alert%20by%20alert%20if%20is%20a%20false%20positive%20or%20if%20actually%20is%20something%20that%20you%20should%20worry%20about%20and%20maybe%20act%20on%20it%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBasically%20the%20Impossible%20Travel%20alerts%20are%20the%20main%20ones%20we%20have%20in%20CAS%20%2C%20and%20its%20not%20always%20so%20easy%20to%20understand%20if%20is%20a%20safe%20connection%20or%20not%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2071742%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2078199%22%20slang%3D%22en-US%22%3ERe%3A%20CAS%20Impossible%20Travel%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2078199%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F888139%22%20target%3D%22_blank%22%3E%40AlessandroAntonini%3C%2FA%3E%26nbsp%3BWhile%20analyzing%20the%20impossible%20travel%20alert%2C%20its%20always%20advised%20to%20check%20the%20reputation%20of%20the%20two%20IPs.%20For%20True%20positive%20cases%2C%20you%20will%20generally%20see%20the%20other%20IP%20to%20be%20blacklisted.%20In%20such%20cases%2C%20you%20should%20go%20ahead%20with%20resetting%20of%20user's%20password%20and%20terminating%20any%20active%20O365%20sessions.%3C%2FP%3E%3CP%3EYou%20may%20see%20False%20Positives%20sometimes%20in%20case%20the%20user%20is%20actually%20travelling%20and%20signing%20from%20an%20unsecure%20network%20or%20may%20be%20when%20he%20uses%20VPN.%3C%2FP%3E%3CP%3EHowever%20as%20per%20Microsoft%20documentation%2C%20it%20says%20that%20t%3CSPAN%3Ehis%20detection%20uses%20a%20machine%20learning%20algorithm%20that%20ignores%20obvious%20%22false%20positives%22%20contributing%20to%20the%20impossible%20travel%20condition%2C%20such%20as%20VPNs%20and%20locations%20regularly%20used%20by%20other%20users%20in%20the%20organization.%20The%20detection%20has%20an%20initial%20learning%20period%20of%20seven%20days%20during%20which%20it%20learns%20a%20new%20user's%20activity%20pattern.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2078209%22%20slang%3D%22en-US%22%3ERe%3A%20CAS%20Impossible%20Travel%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2078209%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F879527%22%20target%3D%22_blank%22%3E%40AnuragSrivastava%3C%2FA%3E%26nbsp%3B%20Many%20Thanks!%26nbsp%3B%20That%20was%20my%20thought%20%2C%20do%20you%20have%20any%20trusted%20site%20where%20you%20check%20the%20reputation%20of%20the%20IP%2C%20i%20am%20using%20some%20website%20but%20honestly%20i%20dont%20know%20how%20much%20i%20can%20trust%20on%20them%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2078240%22%20slang%3D%22en-US%22%3ERe%3A%20CAS%20Impossible%20Travel%20Alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2078240%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F888139%22%20target%3D%22_blank%22%3E%40AleA79%3C%2FA%3E%26nbsp%3BYou%20can%20refer%20the%20below%20recommended%20sites%20to%20check%20the%20reputation%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmxtoolbox.com%2Fblacklists.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmxtoolbox.com%2Fblacklists.aspx%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftalosintelligence.com%2Freputation_center%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftalosintelligence.com%2Freputation_center%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdnslytics.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdnslytics.com%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.virustotal.com%2Fgui%2Fhome%2Fsearch%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.virustotal.com%2Fgui%2Fhome%2Fsearch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.abuseipdb.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.abuseipdb.com%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I would like to ask you some suggestion on: 

How do you handle Impossible Travels Alerts ?

How do you verify alert by alert if is a false positive or if actually is something that you should worry about and maybe act on it ? 

 

Basically the Impossible Travel alerts are the main ones we have in CAS , and its not always so easy to understand if is a safe connection or not .

 

3 Replies

@AleA79 While analyzing the impossible travel alert, its always advised to check the reputation of the two IPs. For True positive cases, you will generally see the other IP to be blacklisted. In such cases, you should go ahead with resetting of user's password and terminating any active O365 sessions.

You may see False Positives sometimes in case the user is actually travelling and signing from an unsecure network or may be when he uses VPN.

However as per Microsoft documentation, it says that this detection uses a machine learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days during which it learns a new user's activity pattern.

@AnuragSrivastava  Many Thanks!  That was my thought , do you have any trusted site where you check the reputation of the IP, i am using some website but honestly i dont know how much i can trust on them