Forum Discussion
MCAS IPv6 Recipient Cache False Positive Impossibile Traveller
Hi all, More of an FYI in case anyone is searching. Started noticing some EXTRA (HA) Impossibile Traveller Alerts. Checked them out and found it was actually a Create Email MCAS Event in the US ...
FaustinRoman Hi Faustion
Did you ever get a reply to your question regarding data sovereignty and privacy? If so could I possibly ask if you would be kind enough to post the response in this thread please? I ask because we are in exactly the same situation where our data is hosted in a different region to the US as well and it would be great to try and know the reasoning behind alerts getting generated in the US.
Many thanks in advance.
We got an answer, not sure if really addressed all concerns:
"We're informed that the Microsoft Internal IP that's being logged by Microsoft Security Cloud Service/App was a service from the back-end that triggers the audit log events itself. That's why it happens every 00:00 UTC standard time when Microsoft generates an audit log.
We're also informed that the IP was already whitelisted by the MCAS so this should no longer trigger alerts.
As far as data accessed outside of the region, there were none as the event is only for triggering the audit service."
You could ask why this event is not triggered from the same region... I leave that to you, let me know how far you get with MS support and if it was worth your time....
"We're informed that the Microsoft Internal IP that's being logged by Microsoft Security Cloud Service/App was a service from the back-end that triggers the audit log events itself. That's why it happens every 00:00 UTC standard time when Microsoft generates an audit log.
We're also informed that the IP was already whitelisted by the MCAS so this should no longer trigger alerts.
As far as data accessed outside of the region, there were none as the event is only for triggering the audit service."
You could ask why this event is not triggered from the same region... I leave that to you, let me know how far you get with MS support and if it was worth your time....
- Hi Faustin
Thank you very much for replying. I can say that it doesn't ring quite true what they say about the event only triggering at 00:00 UTC as we have observed these events at different times of the day.
I will certainly try to follow this up with Microsoft and if I do get any meaningful updates I will post them to this thread. Many thanks again to you.
