Spike in impossible travel false positives

%3CLINGO-SUB%20id%3D%22lingo-sub-1117361%22%20slang%3D%22en-US%22%3ESpike%20in%20impossible%20travel%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1117361%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20noted%20recently%20a%20spike%20in%20impossible%20travel%20alerts%20in%20my%20MCAS.%26nbsp%3B%20When%20looking%20at%20the%20activity%20all%20the%20activity%20appears%20in%20my%20home%20country%20(AU)%20but%20dotted%20throughout%20is%20activity%20from%20other%20MS%20DC%20IP's%20in%20other%20countries%20causing%20an%20impossible%20travel%20alert.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20look%20at%20the%20type%20of%20activity%20that%20is%20triggering%20this%20it%20appears%20to%20be%20audit%20activity%20not%20user%20activity.%26nbsp%3B%20nearly%20all%20the%20activities%20show%20as%20%22%3CSPAN%3ERun%20command%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Etask%26nbsp%3B%3CSTRONG%3EMailItemsAccessed%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E%3B%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EGoogling%20this%20it%20looks%20like%20this%20is%20a%20legit%20activity%20to%20generate%20an%20audit%20log%20of%20activity%20on%20a%20mail%20file.%26nbsp%3B%20My%20problem%20is%20they%20are%20being%20run%20across%20random%20and%20multiple%26nbsp%3Bdata%20centers.%26nbsp%3B%20%26nbsp%3BHow%20can%20I%20ensure%20these%20are%20not%20run%20across%20O%5CS%20data%20centers%20so%20they%20stop%20generating%20false%20positive%20alerts%3F%26nbsp%3B%20Do%20I%20need%20to%20maybe%20whitelist%20IP's%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHere%20is%20a%20redacted%20sample%20of%20one%20of%20the%20activities%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%3CBR%20%2F%3E%22OrganizationId%22%3A%20%22REDACTED%22%2C%3CBR%20%2F%3E%22CreationTime%22%3A%20%222020-01-19T00%3A00%3A00.0000000Z%22%2C%3CBR%20%2F%3E%22RecordType%22%3A%2050%2C%3CBR%20%2F%3E%22Operation%22%3A%20%22MailItemsAccessed%22%2C%3CBR%20%2F%3E%22Workload%22%3A%20%22Exchange%22%2C%3CBR%20%2F%3E%22UserType%22%3A%200%2C%3CBR%20%2F%3E%22UserKey%22%3A%20%22REDACTED%22%2C%3CBR%20%2F%3E%22Version%22%3A%201%2C%3CBR%20%2F%3E%22OriginatingServer%22%3A%20%22REDACTED%20(XXX.XXX.XXX.XXX)%5Cr%5Cn%22%2C%3CBR%20%2F%3E%22InternalLogonType%22%3A%200%2C%3CBR%20%2F%3E%22UserId%22%3A%20%22REDACTED%40REDACTED.com.au%22%2C%3CBR%20%2F%3E%22OrganizationName%22%3A%20%22REDACTED.onmicrosoft.com%22%2C%3CBR%20%2F%3E%22ClientInfoString%22%3A%20%22Client%3DMSExchangeRPC%22%2C%3CBR%20%2F%3E%22ClientIPAddress%22%3A%20%22%5BXXX.XXX.XXX.XXX%5D%3A17147%22%2C%3CBR%20%2F%3E%22MailboxOwnerSid%22%3A%20%22REDACTED%22%2C%3CBR%20%2F%3E%22MailboxOwnerUPN%22%3A%20%22REDACTED%40REDACTED.com.au%22%2C%3CBR%20%2F%3E%22Id%22%3A%20%22REDACTED%22%2C%3CBR%20%2F%3E%22ExternalAccess%22%3A%20false%2C%3CBR%20%2F%3E%22ResultStatus%22%3A%20%22Succeeded%22%2C%3CBR%20%2F%3E%22LogonUserSid%22%3A%20%22REDACTED%22%2C%3CBR%20%2F%3E%22MailboxGuid%22%3A%20%22REDACTED%22%2C%3CBR%20%2F%3E%22LogonType%22%3A%200%2C%3CBR%20%2F%3E%22SessionId%22%3A%20%22REDACTED%22%2C%3CBR%20%2F%3E%22OperationProperties%22%3A%20%5B%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22Name%22%3A%20%22MailAccessType%22%2C%3CBR%20%2F%3E%22Value%22%3A%20%22Bind%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22Name%22%3A%20%22IsThrottled%22%2C%3CBR%20%2F%3E%22Value%22%3A%20%22False%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%2C%3CBR%20%2F%3E%22OperationCount%22%3A%201%2C%3CBR%20%2F%3E%22Folders%22%3A%20%5B%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22Id%22%3A%20%22REDACTED%22%2C%3CBR%20%2F%3E%22Path%22%3A%20%22%5C%5CDeleted%20Items%22%2C%3CBR%20%2F%3E%22FolderItems%22%3A%20%5B%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22InternetMessageId%22%3A%20%22%3CREDACTED.AUSPRD01.PROD.OUTLOOK.COM%3E%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3C%2FREDACTED.AUSPRD01.PROD.OUTLOOK.COM%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1117361%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1119510%22%20slang%3D%22en-US%22%3ERe%3A%20Spike%20in%20impossible%20travel%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1119510%22%20slang%3D%22en-US%22%3E%3CP%3ESeen%20this%20recently%20too%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I've noted recently a spike in impossible travel alerts in my MCAS.  When looking at the activity all the activity appears in my home country (AU) but dotted throughout is activity from other MS DC IP's in other countries causing an impossible travel alert.

 

When I look at the type of activity that is triggering this it appears to be audit activity not user activity.  nearly all the activities show as "Run commandtask MailItemsAccessed;"

 

Googling this it looks like this is a legit activity to generate an audit log of activity on a mail file.  My problem is they are being run across random and multiple data centers.   How can I ensure these are not run across O\S data centers so they stop generating false positive alerts?  Do I need to maybe whitelist IP's?

 

Here is a redacted sample of one of the activities:

 

{
"OrganizationId": "REDACTED",
"CreationTime": "2020-01-19T00:00:00.0000000Z",
"RecordType": 50,
"Operation": "MailItemsAccessed",
"Workload": "Exchange",
"UserType": 0,
"UserKey": "REDACTED",
"Version": 1,
"OriginatingServer": "REDACTED (XXX.XXX.XXX.XXX)\r\n",
"InternalLogonType": 0,
"UserId": "REDACTED@REDACTED.com.au",
"OrganizationName": "REDACTED.onmicrosoft.com",
"ClientInfoString": "Client=MSExchangeRPC",
"ClientIPAddress": "[XXX.XXX.XXX.XXX]:17147",
"MailboxOwnerSid": "REDACTED",
"MailboxOwnerUPN": "REDACTED@REDACTED.com.au",
"Id": "REDACTED",
"ExternalAccess": false,
"ResultStatus": "Succeeded",
"LogonUserSid": "REDACTED",
"MailboxGuid": "REDACTED",
"LogonType": 0,
"SessionId": "REDACTED",
"OperationProperties": [
{
"Name": "MailAccessType",
"Value": "Bind"
},
{
"Name": "IsThrottled",
"Value": "False"
}
],
"OperationCount": 1,
"Folders": [
{
"Id": "REDACTED",
"Path": "\\Deleted Items",
"FolderItems": [
{
"InternetMessageId": "<REDACTED.ausprd01.prod.outlook.com>"
}
]
}
]
}

1 Reply

Seen this recently too