![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 68%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
258 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Hi Bilal Beyah
Here is my recommendation:
- Create a Dynamic Group -create a dynamic group that includes only the employees who are expected to work from specific locations, such as the U.S. (Assumption that you have the location attribute updated in Azure Active Directory)
- Creating a Detection Rule for the Dynamic Group - create a custom detection rule that applies to the dynamic group you created. This rule will monitor sign-ins and generate alerts when the identity logon event locale is not in the U.S. - Refer: https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules
Another option is that you can Create Defender for Cloud Apps anomaly detection policies
If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.