This guide will walk you through the process of investigating accounts that have suspicious logins. please see What Defines A Suspicious Login if you have any questions about the type of login you are seeing.
Finding the root cause of a suspicious login can be tricky, and will take some detective work on your end. This can sometimes be very obvious, or more nuanced, our team is always happy to help assist you performing these evaluations.
Note: When in doubt, reset the users password.
There are 4 things to think about when investigating a suspicious login.
What time of day was the login?
Is the login ISP anonymous (a known vpn)?
Was there data leaked?
Was the account used to spam emails?
Is this account high priority (faculty with access to sensitive information)
Do you need to set an exclusion for that user?
Check an outside source for geolocation information.
Is the User on a VPN?
STEP ONE:
Navigate to the Audit & Control page, and select the Name of your desired Cloud Environment. (Global Views will show all accounts in your domain, while filtered views will show only users for that view)
STEP TWO:
Navigate to the Accounts tab, and then the "Login Analyzer" sub tab.
STEP THREE:
Search for the user with suspicious logins, and select Apply.
STEP THREE:
Look through the users login and find the suspicious login in question. Then select the Globe icon. This will open a new tab in your browser, VPNs will be shown as "Possible Proxys".
This is an example of what a known VPN will look like.
STEP FOUR:
If there are only a few logins, during business hours, and the ISP is listed as a possible proxy, it is likely that the user was using a proxy to avoid your firewall. Take whatever procedural steps you have in place to address this user.
Is the Account Compromised?
Compromised accounts often share very distinct traits. These are...
Very rapid logins (usually within minutes or seconds).
Logins occurring all over the globe.
Logins occurring after usual business hours.
If you notice this behavior, reset the password immediately, and continue your investigation to see what the purpose of the attack was.
Was Data Leaked?
If an account is compromised it is important to know what type of data was leaked during the compromise. With ManagedMethods you're able to check the account for a couple common sources of data exfiltration.
Was he Account being used to send spam emails? You are able to check using the Live Email Search functionality, looking in the users "Sent" folder specifically, during the time of the attack. Often time bad actors will use the account to spam phishing links.
Was the account being harvested for data in google drive? You are able to generate reports for google drive activity within ManagedMethods using the reports functionality on a users account page. Look for activity coming from the same IP address that the suspicious login originated from. See the "Audit Activity" Section of the guide.
High Priority Accounts
Certain accounts within your environment will be high priority targets, these accounts need to be treated very seriously, and understanding how the account was compromised, as well as what data was leaked is very important. We suggest reaching out to our support team for assistance in these cases.
Is the User Traveling?
It is common for a user traveling abroad to trigger suspicious logins once out of their home country. To determine if they are traveling the best course of action is to reach out to the, or speak with their superior to determine if they are in fact abroad.
If they are traveling, you can set an exclusion, to avoid any remediation on alerts on their account.
Is the Ip2geo information correct?
ManagedMethods uses two different IP to Location services to verify our data, however as an industry determining location is more of an art than a science. If you feel the address location is incorrect, you can check 3rd party ip2geo sites to verify multiple sources are affirming the location of the IP.
We suggest using https://www.iplocation.net/ip-lookup to verify the location is consistent across multiple sites.