Synopsis
| Activation Period | 14 Days |
| Training Period | 30 Days |
| Test Period | 6 Hours |
| Deduplication Period | 1 Day |
| Required Data |
|
| Required Detection Modules | |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Severity | Low |
Description
User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time. This may indicate the account is compromised.
Attacker's Goals
Gain user-account credentials.
Investigative actions
Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.