With the widespread use of teleworking, international business travel and the use of corporate VPNs, behavioral security algorithms are being put to the test. On Microsoft Entra ID, one of the most frequent and complex alerts for a Security Operations Center (SOC) to process is the“Impossible Travel”.
While this alert is the classic warning sign of identity theft, it also generates a massive volume of false positives. Locking out the account of a traveling sales manager simply because he or she connected to airport Wi-Fi is the best way to paralyze business activity. How to sort things out in real time?
What is the “Travel Impossible” alert?
The Microsoft Entra ID Protection Machine Learning engine calculates the geographic distance and the time elapsed between two successive connections from the same user.
If a colleague connects to their Outlook mailbox from Paris at 10:00 a.m., and a new successful connection takes place from Singapore at 10:30 a.m., the algorithm deduces that it is physically impossible to cover this distance in 30 minutes. It then raises an “Atypical Travel” or “Impossible Travel” alert.
The two possible scenarios
- The False Positive (Legitimate Activity):The user works from Paris, then activates their corporate VPN or a personal VPN (like NordVPN) routed to a server in Asia to test a service. The IP address changes drastically, triggering the alert.
- The True Positive (Compromise):The user is in Paris, but a cybercriminal based abroad has just used his stolen credentials (or a session token stolen via malware) to log in to his account.
The trap of manual investigation
Faced with this alert, the Level 1 (L1) SOC analyst finds himself faced with a dilemma. If he ignores the alert and it is a hack, the responsibility of the SOC is engaged. If it cuts off user access as a precaution, it risks blocking a critical presentation to a client.
Manual investigation requires searching the reputation of the foreign IP address on databases like AlienVault or VirusTotal, analyzing the type of device (User-Agent) used during the second connection, and cross-referencing this data. A procedure that takes between 15 and 30 minutes.
The Akuity SOC approach: JIT (Just-In-Time) analysis
To reduce cognitive load and enable decision-making in seconds, Akuity SOC introduces an embedded investigation concept:JIT (Just-In-Time) analysis.
Within the “Identities at risk” tab, when a user comes up with an anomaly, the analyst does not need to navigate elsewhere. All he has to do is click on the eye icon. This action opens a dynamic side panel that queries the Microsoft Graph API in real time to retrieve risk detection details.
Instant qualification
JIT analysis provides the exact context:
- The original IP address and the remote IP address.
- Network qualification (is it an anonymized Tor node or a known corporate IP address?).
- The presence of the IP in recognized threat databases (via the integration of Google Web Risk).
Two solutions in 1-click
With this clear context, the analyst can make the appropriate decision immediately:
Scenario 1: The False Positive is confirmed.(The IP belongs to the company's VPN).
The analyst uses the actionDISMISSUSERRISK(Acquittal). This API command signals Microsoft Entra ID Protection that the behavior is legitimate. The user's risk level drops to zero, avoiding polluting SOC statistics and triggering conditional access policies by mistake.
Scenario 2: The Hack is confirmed.(The IP is linked to a known malicious proxy server).
The analyst triggers actionrevokeSessionsto immediately invalidate the hacker's access, and usesconfirmUserCompromisedto place the account in strict quarantine, all validated by its MFA application (AAL2 level).
Conclusion: Speed and discernment
Managing cloud identity security does not mean blindly blocking at the slightest atypical signal. By bringing precise context (Just-In-Time) as close as possible to the command center, you give your analysts the ability to discern false alerts from real “Token Theft” attacks, thus preserving the security of the infrastructure and the productivity of your employees.
Speed up sorting of your identity alerts.> Discover how our moduleIdentity Management at Risk Entra IDintegrates JIT analysis for informed decision making.