cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Atypical travel: no logs in MCAS

LouisMastelinck
Brass Contributor

‎Nov 16 2020 05:01 AM

‎Nov 16 2020 05:01 AM

Atypical travel: no logs in MCAS

HI all, 


We often encounter the MCAS raises the alerts: "Risky sign-in: Atypical travel"

The alerts us 2 IP addresses, in this case the IP where the user is normally active from and the atypical IP. 
The IP's are also translated to their corresponding GEO locations. 

 
 

image.png

image.png

As you can see that alerts itself states that is does not have any activities that correlate to this alert? 

I have manually checked the activity logs and the AZ AD sign-in logs for any reference of the IP that invoked the atypical travel. But nothings was found. 

How come alerts are raised based on logs that are not to be found?

Kind regards
Louis 

Labels:
3,337 Views
1 Like
2 Replies
Reply
2 Replies
John_Lewis

‎Nov 19 2020 10:56 AM

‎Nov 19 2020 10:56 AM

Re: Atypical travel: no logs in MCAS

@LouisMastelinck 

 

For Azure AD sign-in activities (Risky sign-in), Cloud App Security only surfaces interactive sign-in activities and sign-in activities from legacy protocols such as ActiveSync. This would explain why there are no activities associated with the alert.

 

Non-interactive sign-in activities may be viewed in the Azure AD audit log. You should be able to locate the original alert in AAD’s Risky sign-ins blade. You can filter the detection type: Atypical travel and include a filter for the user which triggered the alert. AAD can then provide you with additional information in the basic and risk info details.

1 Like
Reply
LouisMastelinck

‎Nov 24 2020 06:34 AM

‎Nov 24 2020 06:34 AM

Re: Atypical travel: no logs in MCAS

Hi @John_Lewis 

I checked your input and indeed after enabling the preview feature in azure AD I could see the sign-in log that created the atypical travel and the resource. 

Placing a screenshot for other who might encounter this question:

LouisMastelinck_1-1606228421215.png

 

Thanks for clarifying this. :) 

 

Kind Regards

 

0 Likes
Reply