Skip to main content

User Logged In From New Location

This event occurs when a known user logged in from a location not associated with the user.

Why this Event is Important

User logins to the data center are often predictable—from a corporate office, through a VPN, or from a home office. Although home office IPs are often dynamically allocated, the geo-location does not change upon lease renewal. A user login from a new location may indicate compromised user credentials.

Investigation

If the anomalous login source location is not easily explained, contact the user and confirm the login.

Resolution

If the login is determined to be the result of compromised credentials, disable the account. Perform local forensics, look for signs of lateral movement, and an alternative method of persistence. Take the necessary steps to restore the host to a known, clean state as necessary.