Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
30 Days |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user connected to a VPN from an unusual country that the user has not connected from before. This may indicate the account was compromised.
Attacker's Goals
Use an account that was possibly compromised to gain access to the network.
Investigative actions
- See whether the service authentication was successful.
- Confirm that the activity is benign (e.g. the user has switched locations and providers).
- Verify if the country is an approved country to connect from.
- Follow further actions done by the user.