Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
175 questions
ImpossibleTravelActivity query filtering out "non-interactive sign-ins"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 98%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETV%3C/text%3E%3C/svg%3E)
Trifonov, Vladimir
0
Reputation points
Since Microsoft disabled all useful policies like Impossible travel i created new custom rule.
BehaviorInfo
| where ActionType == "ImpossibleTravelActivity"
| join BehaviorEntities on BehaviorId
So now the issue is that i cannot find how to filter out "User sign-ins (non-interactive)"
The reason for that is when user is in another country and using WiFi with his mobile phone it get IP from the country that its located, but when wifi is lost and it switch to SIM internet the internet is forwarded to its provider of origin and it`s getting IP from his home country. In that case impossible travel is triggered because the user gets 2 IP from different countries in less then a minute.