Home

Unfamiliar sign-in properties, alert flagged in AAD Identity protection but not MCAS?

%3CLINGO-SUB%20id%3D%22lingo-sub-1195827%22%20slang%3D%22en-US%22%3EUnfamiliar%20sign-in%20properties%2C%20alert%20flagged%20in%20AAD%20Identity%20protection%20but%20not%20MCAS%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1195827%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20time%20post%20so%20apologies%20if%20anything%20is%20in%20correct%20with%20the%20below.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20alert%20being%20picked%20up%20in%20AAD%20IP%20for%20a%20Risky%20Sign-in%20under%20the%20detection%20type%2C%20Unfamiliar%20Sign-in%20Properties.%20Usually%20i%20would%20see%20the%20same%20alert%20being%20triggered%20in%20MCAS%20but%20for%20what%20ever%20reason%20the%20alert%20hasn't%20been%20triggered.%20Has%20anyone%20seen%20anything%20similar%20before%2C%20or%20know%20why%20it%20wouldn't%20flag%20in%20MCAS%20but%20its%20does%20in%20AAD%20IP%3F%20Had%20this%20occur%20a%20few%20times%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAAD%20IP%20triggered%20this%20alert%20at%202%2F26%207%3A22AM%20but%20in%20MCAS%20the%20first%20activity%20from%20this%20user%20was%202%2F26%207%3A50AM%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1195827%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407068%22%20slang%3D%22en-US%22%3ERe%3A%20Unfamiliar%20sign-in%20properties%2C%20alert%20flagged%20in%20AAD%20Identity%20protection%20but%20not%20MCAS%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407068%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F563382%22%20target%3D%22_blank%22%3E%40MattBurrows%3C%2FA%3E%26nbsp%3B%20In%20late%20January%202020%2C%20Identity%20Protection%20and%20MCAS%20started%20integrating%2C%20so%20my%20guess%20is%20the%20change%20in%20behavior%20you%20observed%20on%202%2F26%2F20%20may%20have%20resulted%20from%20the%20code%20change%20from%20January%20as%20described%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fwhats-new%23two-new-identity-protection-detections%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fwhats-new%23two-new-identity-protection-detections%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20not%20perfect%20parity%20between%20MCAS%20and%20Azure%20Identity%20Protection.%20For%20example%2C%20I%20asked%20Sarah%20Handler%20(MSFT)%3A%3C%2FP%3E%3CP%3EQ%3A%20%22%3CSPAN%3EAzure%20Identity%20Protection%20already%20had%20impossible%20travel%20signal%20before%20MCAS%20sent%20its%20signal%20so%20are%20you%20eliminating%20redundancy%20and%20using%20MCAS%E2%80%99s%20engine%20for%20that%20now%3F%20If%20not%2C%20How%20does%20this%20seemingly%20redundant%20impossible%20travel%20signal%20add%20any%20extra%20value%20to%20AIP%3F%20Was%20AIP%20deficient%3F%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EA%3A%20%22The%20signals%20have%20very%20similar%20names%2C%20but%20detection%20logic%20is%20distinct%20and%20they%20are%20looking%20at%20different%20things%20to%20determine%20compromise.%20There%20may%20be%20overlap%2C%20but%20we%E2%80%99ve%20definitely%20seen%20cases%20where%20AADIP%20will%20see%20atypical%20travel%20and%20MCAS%20doesn%E2%80%99t%20see%20impossible%20travel%20and%20vice%20versa.%26nbsp%3BAtypical%20travel%20is%20the%20AADIP%20signal%20and%20Impossible%20Travel%20is%20the%20MCAS%20signals.%202%20things%20have%20changed%20in%20the%20last%20year%3A%201)%20we%20previously%20called%20the%20AADIP%20signal%20%E2%80%9CImpossible%20travel%20to%20atypical%20locations%E2%80%9D%20and%20renamed%20it%20to%20%E2%80%9CAtypical%20travel.%22%26nbsp%3BWe%20integrated%20with%20MCAS%20to%20consume%20their%20Impossible%20Travel%20signal%2C%20which%20now%20shows%20in%20our%20UI%20and%20can%20influence%20user%20risk%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FITguySoCal%2Fstatus%2F1232862860084072448%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftwitter.com%2FITguySoCal%2Fstatus%2F1232862860084072448%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Unfamiliar%20sign-in%20properties%20risk%20type%20is%20continuously%20updated.%3C%2FP%3E%3CP%3EThere%20was%20a%20big%20update%20in%20August%202019%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fpresenting-the-new-unfamiliar-sign-in-properties%2Fba-p%2F779978%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fpresenting-the-new-unfamiliar-sign-in-properties%2Fba-p%2F779978%3C%2FA%3E%3C%2FP%3E%3CP%3EAnd%20then%20another%20update%20in%20November%202019%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fthe-refreshed-azure-ad-identity-protection-is-now-generally%2Fba-p%2F1002916%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fthe-refreshed-azure-ad-identity-protection-is-now-generally%2Fba-p%2F1002916%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Senior Member

Hi Guys,

 

First time post so apologies if anything is in correct with the below. 

 

I have an alert being picked up in AAD IP for a Risky Sign-in under the detection type, Unfamiliar Sign-in Properties. Usually i would see the same alert being triggered in MCAS but for what ever reason the alert hasn't been triggered. Has anyone seen anything similar before, or know why it wouldn't flag in MCAS but its does in AAD IP? Had this occur a few times now.

 

AAD IP triggered this alert at 2/26 7:22AM but in MCAS the first activity from this user was 2/26 7:50AM

1 Reply
Highlighted

@MattBurrows  In late January 2020, Identity Protection and MCAS started integrating, so my guess is the change in behavior you observed on 2/26/20 may have resulted from the code change from January as described here: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new#two-new-identity-prot...

 

There is not perfect parity between MCAS and Azure Identity Protection. For example, I asked Sarah Handler (MSFT):

Q: "Azure Identity Protection already had impossible travel signal before MCAS sent its signal so are you eliminating redundancy and using MCAS’s engine for that now? If not, How does this seemingly redundant impossible travel signal add any extra value to AIP? Was AIP deficient?"

A: "The signals have very similar names, but detection logic is distinct and they are looking at different things to determine compromise. There may be overlap, but we’ve definitely seen cases where AADIP will see atypical travel and MCAS doesn’t see impossible travel and vice versa. Atypical travel is the AADIP signal and Impossible Travel is the MCAS signals. 2 things have changed in the last year: 1) we previously called the AADIP signal “Impossible travel to atypical locations” and renamed it to “Atypical travel." We integrated with MCAS to consume their Impossible Travel signal, which now shows in our UI and can influence user risk"

https://twitter.com/ITguySoCal/status/1232862860084072448

 

 

The Unfamiliar sign-in properties risk type is continuously updated.

There was a big update in August 2019:

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/presenting-the-new-unfamiliar...

And then another update in November 2019:

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/the-refreshed-azure-ad-identi...