Forum Discussion
Test Impossible Travel Alert
Hello there I am trying to test the Impossible Travel Alert in the Microsoft Defender for Cloud Apps. For that, I use the NordVPN to login from 2 different Countries and to generate the Impossib...
I've used the 'OpenVPN' to test this scenario successfully with a user that has a proper sign-in history. With this specific detection rule, MDA documentation highlights the learning period: 'The detection has an initial learning period of seven days during which it learns a new user's activity pattern.'
Take these ones also into account when testing:
- When the IP addresses on both sides of the travel are considered safe, the travel is trusted and excluded from triggering the Impossible travel detection. For example, both sides are considered safe if they are tagged as corporate. However, if the IP address of only one side of the travel is considered safe, the detection is triggered as normal.
- The locations are calculated on a country level. This means that there will be no alerts for two actions originating in the same country or in bordering countries.
Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs
