Jul 15 2020 01:28 PM
I have noticed an increasing number of accounts being compromised, without generating any alerts I have configured in the Microsoft Cloud App Security portal (Ie. Impossible travel activity)
Is there anyway to create an alert policy for "Run Command: task MailItemsAccessed" when it happens outside of the US?
For example the activity above would generate an alert because the task MailItemAccessed occurred in Japan. What would that policy look like in the MCAS portal?
Jul 15 2020 11:11 PM
Hi, you could first try changing the sensitivity of the Impossible Travel policy as shown below;
And then ensure you have your alerts configured as required. Have you tried this already?
Jul 16 2020 01:33 PM
@PeterRisingI did try this and I haven't seen any additional alerts being generated since. My main concern is the Impossible Travel policy is looking only at actual sign-in's. I believe what I'm looking to configure an alert for is a Task that is being performed in multiple locations that are considered impossible travel, but I have no idea if that is even possible to configure an alert for.
Jul 17 2020 09:51 AM - edited Jul 17 2020 09:52 AM
Solution@EASchmitt
Does this work for you?
Go to -
Sunglasses (Investigate) -> Activity log -> Advanced (right corner)
If this works, select -> new policy from search and create your policy.
Other things that help:
Hope this helps.
Aug 20 2020 06:35 AM
@Jonathan GreenThank you! I was just able to circle back around to this and the first part did exactly what I was looking for.
Jul 17 2020 09:51 AM - edited Jul 17 2020 09:52 AM
Solution@EASchmitt
Does this work for you?
Go to -
Sunglasses (Investigate) -> Activity log -> Advanced (right corner)
If this works, select -> new policy from search and create your policy.
Other things that help:
Hope this helps.