dcurwin
commented
2 years ago Thanks for your question. We'll investigate and get back to you.
Closed P-Ron closed 2 years ago
dcurwin
commented
2 years ago Thanks for your question. We'll investigate and get back to you.
dcurwin
commented
2 years ago @P-Ron Thank you again for your comment. I checked with the product group, and they said that the documentation is correct, but if you are experiencing this issue, they recommend you open a support ticket, and the support teams will help you.
Documentation in Knowledge Base says:
• When the IP addresses on both sides of the travel are considered safe, the travel is trusted and excluded from triggering the Impossible travel detection. For example, both sides are considered safe if they are tagged as corporate. However, if the IP address of only one side of the travel is considered safe, the detection is triggered as normal.
However, i get numerous impossible travel alerts when both IP addresses are tagged corporate. The alert itself says:
If any of these IP addresses are used by the organization for VPN connections and do not necessarily represent a physical location, we recommend categorizing them as VPN in the IP Address range page in Microsoft Defender for Cloud Apps portal to avoid false alerts.
So the documentation regarding corporate tagging should say VPN tagging.
This is problematic: If I go retag my corporate addresses then it could affected other policies that filter using IP category
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.