From Noise to Signal: Tuning Impossible Travel Alerts in Microsoft Sentinel

One of the biggest sources of noise in our SOC is “impossible travel” detections. Too many false positives, and analysts stop trusting the alerts, wasting valuable time triaging benign activity. Too much suppression, and you risk missing real anomalies.

With a major new government client, we needed to strike the right balance and address the reality that HR and policy rarely move at the speed required for a high-paced SOC. While we have been working with this and other key customers to uplift their travel and remote work policies, we have also invested heavily in noise reduction. This has freed up SOC capacity for higher-value tasks such as threat hunting, detection engineering, and maturing our advisory and IOC mapping practices.

Over the past few months I have refined this use case in Microsoft Sentinel through:

• Custom UEBA-style logic to highlight true anomalies

• Trusted-device and service exclusions to cut high-confidence false positives

• A known overseas-user watchlist for targeted suppression of expected travel and VPN usage

• An investigation automation (Logic Apps) that collects key incident data, converts it into user-friendly strings, and emails both the user and their manager with next steps

The result: less noise, clearer signals, and faster responses for the alerts that matter.