Managed Sentinel – Alert 001

Alert IDMS-A001
Alert NameAccess by the same user to a system from multiple sources
DescriptionThis alert is triggered when Windows users is accessing same machines from multiple locations within a predefined time frame.
Severity LevelHigh
Threat IndicatorCompromised Account
MITRE ATT&CK TacticsInitial Access
Defense Evasion
Credential Access
Log sourcesWindows Security Event Log
Recommendations1. Identify user account which credentials that have been compromised
2. Reset password for the compromised Windows account
3. Identify lateral movement of compromised user account throughout the enterprise by performing additional queries in Sentinel platform.