SOLVED

Corporate IP & Impossible Travel issues

%3CLINGO-SUB%20id%3D%22lingo-sub-1150332%22%20slang%3D%22en-US%22%3ECorporate%20IP%20%26amp%3B%20Impossible%20Travel%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1150332%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20having%20issues%20with%20Corporate%20IPs%20and%20Impossible%20Travel%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20set%20all%20of%20the%20Corporate%20IPs%20within%20Cloud%20App%20Security%2C%20and%20we%20have%20also%20done%20this%20in%20Azure's%20Named%20Locations%20as%20well.%20We%20had%20gotten%20on%20a%20support%20call%20where%20the%20Microsoft%20Support%20(Convergys%20)%20created%20this%20CAS%20Policy%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20813px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F168955iDE1C2BF4A45BDDDA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation2%202020-02-04%20081704.jpg%22%20title%3D%22Annotation2%202020-02-04%20081704.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHowever%2C%20we're%20getting%20users%20who%20are%20switching%20between%20their%20various%20machines%2C%20and%20although%20both%20the%26nbsp%3B%3CSTRONG%3EIndia%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%26nbsp%3B%3CSTRONG%3EAustrialia%26nbsp%3B%3C%2FSTRONG%3EIPs%20are%20Corporate%20IP%20addresses%20and%20are%20trusted%2C%20they're%20still%20getting%26nbsp%3B%3CSTRONG%3EImpossible%20Travel%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ealerts%20(possibly%20because%20even%20though%20bothIPs%20are%20corporate%2C%20the%20Location%20name%20changes%3F)%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20666px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F168951i532C521C329645D5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202020-02-04%20081407.jpg%22%20title%3D%22Annotation%202020-02-04%20081407.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EIs%20there%20anything%20we%20can%20do%3F%20Just%20seems%20like%20we're%20constantly%20getting%20false%20positives%20because%20of%20this%2C%20and%20the%20reporting%20isn't%20reliable%20enough%20for%20us%20to%20use.%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1150332%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1187698%22%20slang%3D%22en-US%22%3ERe%3A%20Corporate%20IP%20%26amp%3B%20Impossible%20Travel%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1187698%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377768%22%20target%3D%22_blank%22%3E%40rmoat%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHello%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdding%20your%20corporate%20IP%E2%80%99s%20to%20the%20data%20enrichment%20section%20is%20a%20great%20first%20step%20to%20improving%20the%20detection.%20However%2C%20you%20can%20take%20a%20few%20additional%20steps%20to%20help%20with%20this%20issue.%20As%20an%20example%2C%20to%20reduce%20the%20number%20of%20false%20positives%20within%20the%20impossible%20travel%20alert%2C%20you%20can%20set%20the%20policy's%20sensitivity%20slider%20to%20low.%20Lastly%2C%20if%20you%20have%20users%20in%20your%20organization%20that%20are%20frequent%20corporate%20travelers%2C%20you%20can%20add%20them%20to%20a%20user%20group%20and%20select%20that%20group%20in%20the%20scope%20of%20the%20policy%20to%20exclude.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20information%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fanomaly-detection-policy%23impossible-travel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fbest-practices%23detect-cloud-threats-compromised-accounts-malicious-insiders-and-ransomware%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We're having issues with Corporate IPs and Impossible Travel issues.

 

We have set all of the Corporate IPs within Cloud App Security, and we have also done this in Azure's Named Locations as well. We had gotten on a support call where the Microsoft Support (Convergys ) created this CAS Policy:

Annotation2 2020-02-04 081704.jpg

However, we're getting users who are switching between their various machines, and although both the India and Austrialia IPs are Corporate IP addresses and are trusted, they're still getting Impossible Travel alerts (possibly because even though bothIPs are corporate, the Location name changes?)

Annotation 2020-02-04 081407.jpg

 

Is there anything we can do? Just seems like we're constantly getting false positives because of this, and the reporting isn't reliable enough for us to use.

 

 

1 Reply
best response confirmed by rmoat (Occasional Contributor)
Solution

@rmoat 

 

Hello,

 

Adding your corporate IP’s to the data enrichment section is a great first step to improving the detection. However, you can take a few additional steps to help with this issue. As an example, to reduce the number of false positives within the impossible travel alert, you can set the policy's sensitivity slider to low. Lastly, if you have users in your organization that are frequent corporate travelers, you can add them to a user group and select that group in the scope of the policy to exclude.

 

More information can be found here and here