Case 1. (High)
Correlate Unfamiliar sign-in properties and atypical travel alerts
This alert indicates that unfamiliar sign-in properties and atypical travel patterns are correlated, suggesting potential security risks: Possible Legitimate User Activity The user logged in from a new device, browser, or network The user is using a VPN The user is traveling for work or personal reasons
Case 2. (Medium)
Successful logon from IP and failure from a different IP
This alarm is triggered when a successful login occurs from one IP address, followed by a failed login attempt from a different IP address. This may indicate: Legitimate User Activity: The user switches networks (e.g., VPN, mobile, home, office Wi-Fi) Dynamic IP changes due to ISP settings
Case 3. (Medium)
(Preview) TI map Domain entity to DnsEvent
This alert indicates that a domain identified by Threat Intelligence (TI) has matched a DNS event (DnsEvent) within the organization’s network. In other words, a DNS request from within the network has been flagged as related to a potentially malicious or suspicious domain. Possible causes include: Legitimate Cases A user or system accessing a legitimate but newly registered domain False positives (FP) due to misclassification of a safe domain
'Security > Azure SOC' 카테고리의 다른 글
| SOC Daily Report : 03/25(Tue) (0) | 2025.03.27 |
|---|