Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user connected to an SSO service from an unusual country that no one from this organization has connected from before. This may indicate the account was compromised.
Attacker's Goals
Gain user-account credentials.
Investigative actions
Check if the user is currently located in the aforementioned country, or routed its traffic there via a VPN.