Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user attempted to connect from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
Attacker's Goals
Use an account that was possibly compromised to gain access to the network.
Investigative actions
- See whether the service authentication was successful.
- Confirm that the activity is benign (e.g. the user has switched locations and providers).
- Verify if the country is an approved country to connect from.
- Follow further actions done by the user.