Acer-eDC

SOAR report

Incident ID: 249

View incident

Successful logon from IP and failure from a different IP

Incident creation time (UTC)

2023-04-21T03:12:55.144963Z

Severity

Medium

Alert providers

["Azure Sentinel"]

Tactics

["InitialAccess","CredentialAccess"]

Incident description

Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP. This may indicate a malicious attempt at password guessing based on knowledge of the users account.

 

SOAR Creation time (UTC)
2023-04-21T14:18:52.7041333Z

 

SOAR action
Revoke-AADSignInSessions

 

Other detailed information
AAAA

 

Affected users

AADTenantIdAADUserIdAccountNameCountryDisplayNameFullNameTransitiveGroupsMembershipUPNSuffix
b391215f-603d-4a49-aa60-7613e01b22dab9192a36-ee94-40cf-980f-2046cff0b7f5mikelomikelo@kingwaytek.com羅孟剛kingwaytek.com
b391215f-603d-4a49-aa60-7613e01b22da649a94c3-22a2-4f75-978c-cb57766998dcknightTWknight@kingwaytek.com曾治維["車美仕RD","車聯網平台團隊","雲端數據處"]kingwaytek.com
b391215f-603d-4a49-aa60-7613e01b22da0ca4297b-b0cf-47b4-8f17-053b6a85153erayliurayliu@kingwaytek.com劉瑞聖["車美仕RD","雲端數據處","交通資訊應用團隊","智慧交通處","Carmax TigerIov HUAPI"]kingwaytek.com