We have configured a policy that triggers an alert if a user logs in from a country that is not allowed.
The thing is that we occasionally have users connecting from this countries (business trips, holidays, etc). We have whitelisted these IP's (all the IP are static) as corporate but the policy keeps triggering.
The alerts show the whitelisted IP.
The whitelist is performed in the "IP address ranges" from MCAS.