Forum Discussion

LouisMastelinck's avatar
LouisMastelinck
Brass Contributor
Nov 16, 2020

Atypical travel: no logs in MCAS

HI all,  We often encounter the MCAS raises the alerts: "Risky sign-in: Atypical travel" The alerts us 2 IP addresses, in this case the IP where the user is normally active from and the atypica...
Cloud App Security
John_Lewis's avatar
John_Lewis
Icon for Microsoft rankMicrosoft

LouisMastelinck 

 

For Azure AD sign-in activities (Risky sign-in), Cloud App Security only surfaces interactive sign-in activities and sign-in activities from legacy protocols such as ActiveSync. This would explain why there are no activities associated with the alert.

 

Non-interactive sign-in activities may be viewed in the Azure AD audit log. You should be able to locate the original alert in AAD’s Risky sign-ins blade. You can filter the detection type: Atypical travel and include a filter for the user which triggered the alert. AAD can then provide you with additional information in the basic and risk info details.

LouisMastelinck's avatar
LouisMastelinck
Brass Contributor
Nov 24, 2020

Hi John_Lewis 

I checked your input and indeed after enabling the preview feature in azure AD I could see the sign-in log that created the atypical travel and the resource. 

Placing a screenshot for other who might encounter this question:

 

Thanks for clarifying this. 🙂 

 

Kind Regards

 

Resources