Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
- Requires one of the following data sources:
- AzureAD
OR - Azure SignIn Log
OR - Duo
OR - Okta
OR - OneLogin
OR - PingOne
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
Attacker's Goals
Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
Investigative actions
Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.
Variations
A user accessed multiple resources via SSO using an anonymized proxy
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
A user accessed multiple resources via SSO, using an anonymized proxy, that are unusual for this user. This may be indicative of a compromised account.
Attacker's Goals
Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
Investigative actions
Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.
Suspicious user access to multiple resources via SSO
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
Attacker's Goals
Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
Investigative actions
Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.
Multiple Resource Access from a New IP via SSO
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
A user accessed multiple resources via SSO that are unusual for this user. This may be indicative of a compromised account.
Attacker's Goals
Unusual resources may be accessed for various purposes, including exfiltration, lateral movement, etc.
Investigative actions
Investigate the resources that were accessed to determine if they were used for legitimate purposes or malicious activity.