Oct 20 2019 06:20 PM
Oct 20 2019 06:20 PM
What determines the location shown in MCAS for Office 365 logs other than users utilizing a VPN service on their devices? I'm seeing too many users having connections from different locations within 30 mins to an hour usually using Exchange and Sharepoint Online and this creates a lot of false positive Impossible Travel Activity alerts. How does CAS or Office 365 resolve these locations?
Cloud App Security
Oct 23 2019 07:36 AM
@acebqI believe the logs are reading the public facing IP address of the VPN exit node. If one of the IP addresses is the public facing IP of your VPN connection then you can add it to the list of trusted IP in the alert to stop it flagging impossible travel.
Jan 18 2021 11:06 AM
@acebq Hi, I am facing the same challenge, trying to understand / reproduce the alerts on my own. its time consuming to check the high number of impossible travel alerts understanding where is a false positive or is a true one. May i ask you how you do these kind of checks ?
Jan 18 2021 05:17 PM
@AleA79It's been hard for us as well specially when you've got global locations. I've only been able to reproduce and catch those that are using VPN to anonymize their IP and those that uses our Site-to-Site VPN. I also observed different behaviors when users connect to their OneDrive and results are very inconsistent. I go through them one by one but I try to focus on those unknown connections that generated a lot of suspicious events. I've noticed some IP Addresses are incorrectly resolved which led me to this question years ago. I'm still experiencing inaccuracy from time to time just like yesterday when an IP Address was resolved to be coming from Germany but it was actually coming from Zimbabwe. I'm still testing and observing these events. We've come across some True Positives over the years and have since utilized MFA in most locations to at least lessen our worries when we get overwhelmed with the number of Impossible Travel Activities that comes in. I can't be much help now but I will post here if I discovered anything that can substantially help the community.