# Office 365 Impossible Travel

**Alert Overview:** This alert triggers when a user account is successfully accessed from geographically distant locations within an impossible time frame, indicating potential account compromise.

**Step 1: Initial Dashboard Review**

1. **Navigate** to the default "Security Detections" dashboard in your CybrHawk Analyst Console.
2. **Locate** the "Impossible Travel" alert in the table to the left and click on the filter to select it:

<figure><img src="/files/8SEdGP9bRHsOb0yB4ySd" alt=""><figcaption></figcaption></figure>

The dashboard will refresh, only showing you the selected alert. Review impacted users, indicators, and techniques for quick awareness. Select(filter) one user if you wish to investigate one user only.

3. **Do an initial review:**

   1. Review the td.alert.message, which contains a summary of the detection:

   <figure><img src="/files/oZH81lIayfdYHzPouUaK" alt=""><figcaption></figcaption></figure>

   1. Expand the alert using the > on the left side and inspect the available fields in the detection feed: logon locations, user agent, username, and ISP to determine the event outcome.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybrhawksoc.gitbook.io/cybrhawk-docs/soc-analyst-guide/quickstart/practice-alert-triage/office-365-impossible-travel.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.