CAS Impossible Travel Alerts

Copper Contributor

I would like to ask you some suggestion on: 

How do you handle Impossible Travels Alerts ?

How do you verify alert by alert if is a false positive or if actually is something that you should worry about and maybe act on it ? 

 

Basically the Impossible Travel alerts are the main ones we have in CAS , and its not always so easy to understand if is a safe connection or not .

 

8 Replies

@AleA79 While analyzing the impossible travel alert, its always advised to check the reputation of the two IPs. For True positive cases, you will generally see the other IP to be blacklisted. In such cases, you should go ahead with resetting of user's password and terminating any active O365 sessions.

You may see False Positives sometimes in case the user is actually travelling and signing from an unsecure network or may be when he uses VPN.

However as per Microsoft documentation, it says that this detection uses a machine learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days during which it learns a new user's activity pattern.

@AnuragSrivastava  Many Thanks!  That was my thought , do you have any trusted site where you check the reputation of the IP, i am using some website but honestly i dont know how much i can trust on them

Question: once the impossible travel alert has been verified as positive, what action if any should then be taken? For example, should a request then be made for the user to chance their password?
I would say a password change is mandatory at that point in time. As mentioned above, terminating any active sessions would also be recommended. For the folks that happen to be running Azure AD Identity Protection, you could automate some of this using the User and Sign-In Risk policies, which will take the whole risk into account and is mostly automated.

@TcMcInnis Another good addition would be adding a block countries list (from Azure AD- Security-Named locations) add those countries that you don't have business with and then create a conditional access policy to block access. This way, even for some reason the user credentials are compromised, the attacker won't get access to any of the resources. Conditional Access - Block access by location - Azure Active Directory | Microsoft Docs

Have a look at the user agent for the two sign-in events, if they are the same then there is a good chance it is benign activity and the person is using a VPN, if not then it may require more investigation. If you are using MFA everywhere then sometimes it is worth revoking their token to enforce another sign on to confirm. Actions -> require user to sign back in