Many AROs are triaged by our Analysts who combine several observations to determine if an ARO is required.
Azure have separately flagged to you an alert stating:
We detected a new user with at least high risk in your [company] directory. This might be because we noticed suspicious account activity or we found their emails and passwords posted in a public location.
At Field Effect our Analysts will have been received to the same alert, but they also have access to other data, information and behavior patterns and can make a more informed decision as to whether this something to highlight.
The Azure alert above may be trying to flag that it has observed an impossible travel scenario, but isn't able to appreciate that it is for the same user using the same endpoint, over an approved VPN service.
In such circumstances an ARO will not be sent as there will have been no red flags.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article