cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Test Impossible Travel Alert

malvinportner
Occasional Contributor

‎May 11 2022 02:34 AM

‎May 11 2022 02:34 AM

Test Impossible Travel Alert

Hello there

 

I am trying to test the Impossible Travel Alert in the Microsoft Defender for Cloud Apps.

For that, I use the NordVPN to login from 2 different Countries and to generate the Impossible Travel. Somehow, no Impossible Travel Alert is generated. I just get the alert "Risky sign-in: Anonymous IP adress". Could it be, that this is because I use NordVPN and that the Impossible Travel Alert gets surpressed by the Risky sign-in Alert?

 

Thanks for your Help

1,240 Views
0 Likes
4 Replies
Reply
4 Replies
Adin_Calkic

‎May 11 2022 04:08 AM

‎May 11 2022 04:08 AM

Re: Test Impossible Travel Alert

Hi @malvinportner ,

 

It should work. What license do you have? Premium p2?

1 Like
Reply
malvinportner

‎May 11 2022 11:45 PM - edited ‎May 12 2022 12:56 AM

‎May 11 2022 11:45 PM - edited ‎May 12 2022 12:56 AM

Re: Test Impossible Travel Alert

Yes, it's an Azure Premium p2.

 

Could it be, because the policy was edited less than 7 Days ago (Microsoft says the policy needs 7 days to "learn" before alerts are generated)? The Policy was activated way earlier.

0 Likes
Reply
mikhailf

‎May 12 2022 01:56 AM

‎May 12 2022 01:56 AM

Re: Test Impossible Travel Alert

@malvinportner 

Hello Malvin,
Try to create a VM on Azure in Australia, for example (if you are not in Australia), and log into Microsft365 from this VM.

 

Probably it detects the VPN you use:
"To make this work, the detection logic includes different levels of suppression to address scenarios that can trigger false positive, such as VPN activities, or activity from cloud providers that don't indicate a physical location."

 

Impossible travel 

0 Likes
Reply
Sami Lamppu

‎Aug 31 2022 09:13 PM

‎Aug 31 2022 09:13 PM

Re: Test Impossible Travel Alert

@malvinportner 

 

I've used the 'OpenVPN' to test this scenario successfully with a user that has a proper sign-in history. With this specific detection rule, MDA documentation highlights the learning period: 'The detection has an initial learning period of seven days during which it learns a new user's activity pattern.' 

 

Take these ones also into account when testing:

  • When the IP addresses on both sides of the travel are considered safe, the travel is trusted and excluded from triggering the Impossible travel detection. For example, both sides are considered safe if they are tagged as corporate. However, if the IP address of only one side of the travel is considered safe, the detection is triggered as normal.
  • The locations are calculated on a country level. This means that there will be no alerts for two actions originating in the same country or in bordering countries.

Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs

0 Likes
Reply