It always capture whether from Risky sign in or cloud app security. You can easily find out from MCAS if you know the user.
If you are asking about notification via email, it will notify you anytime accessing from unfamiliar location.
Sorry if I’m not understanding the scenario correctly!
Hope this helps!