SOC Daily Report : 03/27(Thu)

Case 1. (High)
 
Correlate Unfamiliar sign-in properties and atypical travel alerts

This alert indicates that unfamiliar sign-in properties and atypical travel patterns are correlated, suggesting potential security risks: Possible Legitimate User Activity The user logged in from a new device, browser, or network The user is using a VPN The user is traveling for work or personal reasons

 

Case 2. (Medium)
 
Successful logon from IP and failure from a different IP

 

This alarm is triggered when a successful login occurs from one IP address, followed by a failed login attempt from a different IP address. This may indicate: Legitimate User Activity: The user switches networks (e.g., VPN, mobile, home, office Wi-Fi) Dynamic IP changes due to ISP settings

 

Case 3. (Medium)
 
(Preview) TI map Domain entity to DnsEvent

This alert indicates that a domain identified by Threat Intelligence (TI) has matched a DNS event (DnsEvent) within the organization’s network. In other words, a DNS request from within the network has been flagged as related to a potentially malicious or suspicious domain. Possible causes include: Legitimate Cases A user or system accessing a legitimate but newly registered domain False positives (FP) due to misclassification of a safe domain