We have security alerts from Azure ATP and MCAS (Microsoft Cloud App Security) configured in our environment. We are getting alerts for Unfamiliar Sign ins, Impossible Travel Activity and Atypical Travel. In my understanding :
Unfamiliar Sign -in : user signs in from a location that is unusual for the user or different from where they have always signed in from.
Impossible Travel Activity (ITA) : A user signing in from different locations within a time frame that is impossible for the travel. (signing in from India and then the UK within 25 minutes, for example)
ALSO, if one of these locations is a new one, then I would also expect an Unfamiliar Sign in. (or does ITA cover that scenario?)
Atypical travel : An Impossible Travel Activity with the Unfamiliar Sign in twist.
We need to know these differences so that we can choose which ones to have in our SIEM and reduce noise.
But the differences are either very subtle or these alerts are redundant.
- Can I please get a clear explanation of these alerts,
- Are they stepping on each others toes (redundant,repetitive,overlapping)?
- Do they check if one or the other alert has been generated for the same user before generating an alert?