Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Hour |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
Honey User Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
A VPN login attempt was made by a honey user, a decoy account created specifically to detect unauthorized access. This may indicate potential attacker activity.
Attacker's Goals
An attacker is attempting to gain unauthorized access by exploiting valid or stolen credentials.
Investigative actions
- Confirm that the alert was triggered by a honey user account.
- Check for other login attempts on different accounts from the same source IP.
- Analyze any subsequent actions performed by the user after the login attempt.
- Follow further actions performed by the user.