What is a one sentence summary of your feature request?
Impossible travel alerts on EntraID Logons
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
To monitor EntraID logon activities, in addition to alerts that signal successful logons from certain countries (which I classify as malicious), it would be useful to be able to set a filter to calculate the delta between successful logons.
Let me give an example of what is defined as Impossible Travel:
If I have a logon from a country that I consider legitimate (Italy) with a timestamp of 10/10/10 12:30
The activity is classified as legitimate and I do not receive any alerts
If I have a logon from a country that I consider legitimate (United States) with a timestamp of 10/10/10 12:35
The activity is classified as legitimate and I do not receive any alerts
However, if the logins were made by the same user in such a short time frame, this is very suspicious because it indicates potentially impossible activity
It would be great to be able to apply a filter on the time frame directly on the alerts, as is the case with the threshold
How do you currently solve the challenges you have by not having this feature?
Currently, we do not have the ability to manage this within Auditor, but only to set alerts for individual logon activities.