Increase in false positives

%3CLINGO-SUB%20id%3D%22lingo-sub-2098117%22%20slang%3D%22en-US%22%3EIncrease%20in%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098117%22%20slang%3D%22en-US%22%3E%3CP%3EOver%20the%20last%20few%20weeks%20we%20have%20noticed%20an%20increase%20in%20the%20number%20of%20false%20positives%20and%20alerts%20generated%20by%20AAD%20identity%20Protection.%26nbsp%3B%20Generally%2C%20they've%20been%20flagged%20as%20%22impossible%20travel%22%20from%20overseas%20locations.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20concerning%20part%20is%2C%20all%20of%20the%20%22risky%22%20login%20attempts%20have%20been%20failures%2C%20but%20the%20accounts%20are%20marked%20as%20'high%20risk'%20after%20multiple%20%3CSTRONG%3Efailed%3C%2FSTRONG%3E%20attempts%20by%20third%20parties.%26nbsp%3B%20Dismissing%20or%20confirming%20these%20alerts%20seem%20inaccurate%20based%20on%20the%20behavior.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EDismissing%20the%20risk%20would%20train%20the%20system%20these%20login%20attempts%20were%20legitimate.%3CBR%20%2F%3EConfirming%20they're%20compromised%20would%20be%20inaccurate%20as%20these%20accounts%20have%20not%20been%20successfully%20logged%20into%20by%20the%20malicious%20actors.%3CBR%20%2F%3E%3CBR%20%2F%3EHas%20anyone%20else%20seen%20this%20type%20of%20behavior%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2098117%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Over the last few weeks we have noticed an increase in the number of false positives and alerts generated by AAD identity Protection.  Generally, they've been flagged as "impossible travel" from overseas locations.  

 

The concerning part is, all of the "risky" login attempts have been failures, but the accounts are marked as 'high risk' after multiple failed attempts by third parties.  Dismissing or confirming these alerts seem inaccurate based on the behavior.  

Dismissing the risk would train the system these login attempts were legitimate.
Confirming they're compromised would be inaccurate as these accounts have not been successfully logged into by the malicious actors.

Has anyone else seen this type of behavior?

0 Replies