Detecting Multiple Geographic Logins - Microsoft Security Operations Analyst Exam

Correct Answer: C Option C is correct.

The impossible travel policy is triggered when two user activities originate from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second.

Option A, B, D are incorrect as they are not the correct detection policy.

Reference:

The correct answer is "C. Impossible travel".

"Impossible travel" is a detection policy in Microsoft Defender for Identity that uses machine learning algorithms to detect suspicious logon activities that indicate that a user has traveled impossible distances in a short amount of time. This policy is designed to detect potential insider threats, such as compromised user accounts, that may be used to gain unauthorized access to sensitive data or resources.

When a user's credentials are used to log in from two geographically far away locations within a short span of time, it may indicate that the user's account has been compromised or that someone else is using the user's credentials to log in from a different location. The "Impossible travel" policy can detect this suspicious activity and trigger an alert to notify security teams to investigate and take appropriate action.

The "Impossible travel" policy works by analyzing the location of the user's logon events and comparing them to the user's expected travel patterns based on historical logon data. If the logon events indicate that the user has traveled a distance that is physically impossible to travel within the given timeframe, the policy will generate an alert.

In summary, "Impossible travel" is a detection policy that uses machine learning to detect suspicious logon activities that indicate a potential insider threat. It analyzes the location of the user's logon events and compares them to the user's expected travel patterns based on historical data to detect potential unauthorized access.