|Alert Name||Access by the same user to a system from multiple sources|
|Description||This alert is triggered when Windows users is accessing same machines from multiple locations within a predefined time frame.|
|Threat Indicator||Compromised Account|
|MITRE ATT&CK Tactics||Initial Access |
|Log sources||Windows Security Event Log|
|Recommendations||1. Identify user account which credentials that have been compromised|
2. Reset password for the compromised Windows account
3. Identify lateral movement of compromised user account throughout the enterprise by performing additional queries in Sentinel platform.