Use EDR to reduce number of MDR unwanted access escalations
B
Bjørn Mathisen
We are starting to see a lot of unwanted access escalations. Maybe this is not such a big issue in the US, but for europeans who travel a lot between our tiny countries, this is like americans receiving an Unwated Access escalation every time one of their users travel to a different US state, or even a different city.
One way to greatly reduce the amount of notifications would be to cross-check the MDR locations with those seen in the EDR, or even on devices pulled through the Microsoft Graph API.
Because if an account AND a PC is in use on the same IP / same strange country, then it's highly likely that it's just the user who's out travelling, and not actually unwanted access.
F
Fredrik Olsson
Also cross-check with named locations in Conditional Access and please add multi selection to the add organisation rule so one rule can contain multiple countries.
M
Matthew Coombe
I would also like to see ITDR use the telemetry correlation of the device id in the Entra sign-in logs to validate it is the same device being used in another country and therefore extremely unlikely to be "risky" as the device was moved from country to country. Even better if the device in the sign in logs is marked as compliant and has been used before in previous "trusted" countries then this should not flag as risky signin activity. Obviously a new device id in an unusual country should be flagged as a risk if the advesary has managed to enrol a new device although likely they would be smart enough to use a VPN into the same country as the company is registered to try and avoid detection (hence why all customers should have tight conditional access policies around Intune device enrolment, we require the device to be in a named location e.g. head office or use a TAP for authentication to enrol any new device)