u/Due-Advice-7131

Hi everyone.

Had a false positive last week in regards to a user being compromised. While investigating I noticed that sharepoint and onedrive consistently show international IPs in Defender.

I was curious if anyone else had noticed this and knew why. A large amount of users show an international IP Address when accessing those sights, but no other indiciation on their account of international activity. My best guess is that they're accessing servers internationally, but I was advised that this shouldn't be the case.. and if it is they should be blocked per our security policy.