MicroSOC
MB

Muath Al Badi

Security Analyst

Back to Cases

Suspicious Login Activity

CASE-1229Created on 3/20/2023Updated 3/21/2023, 9:15:00 AM
Status
Priority
Assignee
MBMuath Al Badi
Due Date
Apr 5, 5:00 PM981d overdue
suspicious-login
account-security
potential-compromise
Case Details
Information about this security case

Description

Multiple login attempts detected from unusual locations followed by successful login and suspicious account activity.

Status

in progress

Severity

high

Category

Account Compromise

Due Date

Dec 11, 8:59 PM8h left

Affected User

ahmed.albalushi@example.com

Assignee

MBMuath Al Badi

Reporter

FZFatima Al Zeedi

Detection Source

SIEM Alert

Impact Level

Medium

Created

3/20/2023, 2:30:00 PM

Tags

suspicious-login
account-security
potential-compromise
Activity & Comments
Case activity and discussion
AB
AB
Ahmed Al Balushi3/20/2023, 3:30:00 PM

I've started investigating this case. Initial findings suggest this might be related to a compromised account.

AB
Ahmed Al Balushi3/20/2023, 3:35:00 PM
Changed status from Open to In Progress
AB
Ahmed Al Balushi3/20/2023, 3:45:00 PM
Added artifact: login_logs.txt
FZ
Fatima Al Zeedi3/20/2023, 4:45:00 PM

I've checked the logs and found multiple failed login attempts from different IP addresses before the successful login.

FZ
Fatima Al Zeedi3/20/2023, 4:50:00 PM
Created task: Block compromised account
FZ
Fatima Al Zeedi3/20/2023, 4:55:00 PM
Added artifact: ip_analysis.pdf
AB
Ahmed Al Balushi3/20/2023, 5:15:00 PM

Good catch. Let's implement a temporary block on the account and notify the user.

AB
Ahmed Al Balushi3/20/2023, 5:30:00 PM
Completed task: Block compromised account
AB
Ahmed Al Balushi3/20/2023, 5:35:00 PM
Added tag: account-security
Actions
Available actions for this case
Quick Actions
Case Management
Private Notes
Notes visible only to your team
MBMuath Al Badi3/20/2023, 3:50:00 PM

Initial investigation shows multiple failed login attempts from IP addresses in different countries, followed by a successful login from an unusual location. The account then exhibited unusual behavior, accessing sensitive data that the user doesn't typically access.

FZFatima Al Zeedi3/20/2023, 5:25:00 PM

After analyzing the login patterns, I believe this is a case of credential stuffing. The attacker likely obtained the user's credentials from a previous data breach and tried them across multiple services until finding a match.

Tasks
Action items for this case
Analyze suspicious login attempts
high
Due 4/5/2023

Review logs and identify patterns in the login attempts

ABAhmed Al Balushi
Block compromised account
critical
Due 4/3/2023

Temporarily block the affected user account

FZFatima Al Zeedi
Notify affected user
medium
Due 4/6/2023

Contact the user about the suspicious activity

MFMohammed Al Farsi
Update security policies
low
Due 4/10/2023

Review and update relevant security policies

SBSara Al Balushi