The Impossible Travel alert — Friend or foe?

Using raw Azure AD SigningLogs table in Azure Sentinel vs. Microsoft Cloud App Security detection policies

The impossible travel has been on the list of SIEM detection for a long time, being even listed on Wikipedia’s SIEM page: https://en.m.wikipedia.org/wiki/Security_information_and_event_management.

To quote the article: “When a user logs in to a system, generally speaking, it creates a timestamp of the event. Alongside the time, the system may often record other useful information such as the device used, GPS address, IP address, incorrect login attempts, etc. The more data is collected the more use can be gathered from it. For impossible travel, the system looks at the current and last login date/time and the difference between the recorded distances. If it deems it’s not possible for this to happen, for example traveling hundreds of miles within a minute, then it will set off a warning. Fortunately, many employees and users are now using VPN services, therefore this should be taken into consideration when setting up such a rule. “.

In the Azure Sentinel world, the “impossible travel” alerts are one of the detections received from Microsoft Cloud App Security — its native Azure Sentinel data connector allowing the integration of incidents with just a couple of clicks of the mouse: