First SSO access from ASN for user

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-12-08

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AzureAD OR Azure SignIn Log OR Duo OR Google Workspace Authentication OR Okta OR OneLogin OR PingOne
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Domain Accounts (T1078.002)
Severity	Informational

A user successfully authenticated via SSO with a new ASN.

Use an account that was possibly compromised to gain access to the network.

Confirm that the activity is benign (e.g. the user has switched locations and providers).
Verify if the ASN is an approved ASN to authenticate from.
Follow further actions done by the user.

ATT&CK Tactic	Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Domain Accounts (T1078.002)
Severity	Low

First SSO access from ASN for user that shows suspicious characteristics.

Use an account that was possibly compromised to gain access to the network.

Confirm that the activity is benign (e.g. the user has switched locations and providers).
Verify if the ASN is an approved ASN to authenticate from.
Follow further actions done by the user.

ATT&CK Tactic	Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Domain Accounts (T1078.002)
Severity	Informational

A user successfully authenticated via SSO with a new ASN.

Use an account that was possibly compromised to gain access to the network.

Confirm that the activity is benign (e.g. the user has switched locations and providers).
Verify if the ASN is an approved ASN to authenticate from.
Follow further actions done by the user.