Acer-eDC

SOAR report

Incident ID: 249

Successful logon from IP and failure from a different IP

Incident creation time (UTC)

2023-04-21T03:12:55.144963Z

Severity

Medium

Alert providers

["Azure Sentinel"]

Tactics

["InitialAccess","CredentialAccess"]

Incident description

Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.

SOAR Creation time (UTC)
2023-04-21T14:18:52.7041333Z

SOAR action
Revoke-AADSignInSessions

Other detailed information
AAAA

Affected users

AADTenantId	AADUserId	AccountName	Country	DisplayName	FullName	TransitiveGroupsMembership	UPNSuffix
b391215f-603d-4a49-aa60-7613e01b22da	b9192a36-ee94-40cf-980f-2046cff0b7f5	mikelo		mikelo@kingwaytek.com	羅孟剛		kingwaytek.com
b391215f-603d-4a49-aa60-7613e01b22da	649a94c3-22a2-4f75-978c-cb57766998dc	knight	TW	knight@kingwaytek.com	曾治維	["車美仕RD","車聯網平台團隊","雲端數據處"]	kingwaytek.com
b391215f-603d-4a49-aa60-7613e01b22da	0ca4297b-b0cf-47b4-8f17-053b6a85153e	rayliu		rayliu@kingwaytek.com	劉瑞聖	["車美仕RD","雲端數據處","交通資訊應用團隊","智慧交通處","Carmax TigerIov HUAPI"]	kingwaytek.com