Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Test Impossible Travel Alert

Copper Contributor

Hello there

 

I am trying to test the Impossible Travel Alert in the Microsoft Defender for Cloud Apps.

For that, I use the NordVPN to login from 2 different Countries and to generate the Impossible Travel. Somehow, no Impossible Travel Alert is generated. I just get the alert "Risky sign-in: Anonymous IP adress". Could it be, that this is because I use NordVPN and that the Impossible Travel Alert gets surpressed by the Risky sign-in Alert?

 

Thanks for your Help

5 Replies

Hi @malvinportner ,

 

It should work. What license do you have? Premium p2?

Yes, it's an Azure Premium p2.

 

Could it be, because the policy was edited less than 7 Days ago (Microsoft says the policy needs 7 days to "learn" before alerts are generated)? The Policy was activated way earlier.

@malvinportner 

Hello Malvin,
Try to create a VM on Azure in Australia, for example (if you are not in Australia), and log into Microsft365 from this VM.

 

Probably it detects the VPN you use:
"To make this work, the detection logic includes different levels of suppression to address scenarios that can trigger false positive, such as VPN activities, or activity from cloud providers that don't indicate a physical location."

 

Impossible travel 

@malvinportner 

 

I've used the 'OpenVPN' to test this scenario successfully with a user that has a proper sign-in history. With this specific detection rule, MDA documentation highlights the learning period: 'The detection has an initial learning period of seven days during which it learns a new user's activity pattern.' 

 

Take these ones also into account when testing:

  • When the IP addresses on both sides of the travel are considered safe, the travel is trusted and excluded from triggering the Impossible travel detection. For example, both sides are considered safe if they are tagged as corporate. However, if the IP address of only one side of the travel is considered safe, the detection is triggered as normal.
  • The locations are calculated on a country level. This means that there will be no alerts for two actions originating in the same country or in bordering countries.

Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs

@malvinportner, the 7-day detection policy learning period is likely still in progress after the recent edit. Give it the full duration. Also, NordVPN is probably obscuring the location change that would signal impossible travel.

 

Try logging in from physically distant spots without routing through a VPN. Remember that only one login location may be designated high-risk, while alerts require risky access at both endpoints. Verify country-level locations are both unsafe. If after 7 days and logins from clearly different non-VPN locations don't trigger alerts, some policy configuration adjustments may be needed.