question

xjt910-5510 avatar image
0 Votes"
xjt910-5510 asked Givary-MSFT edited

Atypical Travel / Unfamiliar sign-in properties

Hi

I get a few atypical travel / unfamiliar sign-in properties incidents from time to time, where privileged users sign in from the same IP (52.98.175.181, Amsterdam, Noord-Holland) owned by Microsoft. I dismiss these as false-positives, but I'm curious why this happens. I get the atypical travel part, but it happens quite often, so I wonder why it keeps triggering the unfamiliar sign-in properties policy.

I hope the question makes sense, thanks in advance!

microsoft-sentinelazure-ad-sign-in-logs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Givary-MSFT avatar image
0 Votes"
Givary-MSFT answered xjt910-5510 commented

@xjt910-5510 Thank you for reaching out to us.

Regarding your query "frequent atypical travel alerts" for privileged accounts.

This risk detection identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. Among several other factors, this machine learning algorithm takes into account the time between the two sign-ins.

The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#:~:text=The%20algorithm%20ignores,sign%2Din%20behavior.

Let me know if you have any questions on it.




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thank you, but I'm aware how the threat policies work.

My questions was;
a) Why do we see sign-ins from Amsterdam even though the employee isn't there. I assume it's due to the location of our tenant, but I'd like a confirmation on that.
b) Why does the unfamiliar sign-in properties policy trigger when we see these sign-ins on a regular basis.

0 Votes 0 ·