Jan 18 2021 10:03 AM
I would like to ask you some suggestion on:
How do you handle Impossible Travels Alerts ?
How do you verify alert by alert if is a false positive or if actually is something that you should worry about and maybe act on it ?
Basically the Impossible Travel alerts are the main ones we have in CAS , and its not always so easy to understand if is a safe connection or not .
Jan 20 2021 02:42 AM
@AleA79 While analyzing the impossible travel alert, its always advised to check the reputation of the two IPs. For True positive cases, you will generally see the other IP to be blacklisted. In such cases, you should go ahead with resetting of user's password and terminating any active O365 sessions.
You may see False Positives sometimes in case the user is actually travelling and signing from an unsecure network or may be when he uses VPN.
However as per Microsoft documentation, it says that this detection uses a machine learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition, such as VPNs and locations regularly used by other users in the organization. The detection has an initial learning period of seven days during which it learns a new user's activity pattern.
Jan 20 2021 02:46 AM - edited Jan 20 2021 02:54 AM
@AnuragSrivastava Many Thanks! That was my thought , do you have any trusted site where you check the reputation of the IP, i am using some website but honestly i dont know how much i can trust on them
Jan 20 2021 03:16 AM
@AleA79 You can refer the below recommended sites to check the reputation:
https://mxtoolbox.com/blacklists.aspx
https://talosintelligence.com/reputation_center
https://www.virustotal.com/gui/home/search
Jun 30 2021 05:56 AM
Jun 30 2021 07:11 AM
Jul 02 2021 02:25 PM
@TcMcInnis Another good addition would be adding a block countries list (from Azure AD- Security-Named locations) add those countries that you don't have business with and then create a conditional access policy to block access. This way, even for some reason the user credentials are compromised, the attacker won't get access to any of the resources. Conditional Access - Block access by location - Azure Active Directory | Microsoft Docs
Jul 03 2021 02:39 AM
Jul 13 2021 02:52 AM