Let's discuss the Tale of the Unfamiliar Sign-In.
It was a calm Tuesday evening, and the IT security team was humming quietly, showing no major incidents. Priya, A SOC analyst on her evening shift, sipped her coffee, expecting a routine session. Suddenly, an alert lit up her screen: "Unfamiliar Sign-In Properties Detected."
It was the mystery login.
The alert pointed to user Aladdin; Analyst Priya checked his profile in the o365, Service Now, and other availability tools and came to know he is a senior developer known for his diligent work habits. The system flagged a login attempt to the company’s internal tools from a device detected as suspicious.
“Hmm,” Priya thought, and checked Aladdin's logs for the last 3 days and found out his usual device was “MacBook".
But the alert says Windows device, and it’s coming from an IP address in an entirely different city—Lucknow.”
What made it more suspicious was the timing:
- The attempt was made at 2:00 AM, far outside Aladdin’s regular work hours.
- The system also noted a mismatched User-Agent string, hinting at a possible spoofed device or browser.
However, all URLs are blocked on proxy because of the proxy rule.
Uncovering the Truth
Priya Immediately raised an incident, sent a mail to the AD Team, Security Team, Service Desk Teams, and began her investigation:
Device Check:
She reviewed with the AD team about Aladdin’s registered devices in the Active Directory. None matched the one used in the suspicious login attempt.
Geolocation Analysis:
The IP address was traced back to Lucknow, a city far from Aladdin’s home and office. Aladdin had no travel plans logged with HR.
Login Pattern Review:
She pulled up Aladdin's historical login logs. He typically worked from
his MacBook in Bangalore between 9:00 AM and 8:00 PM. This 2:00 AM login
from an unknown Windows device seems suspicious.
All teams worked in bridge call to mitigate this incident; they immediately contacted Aladdin. Groggily, he answered, “What? No, I didn’t log in at 2:00 AM. I was asleep.”
That confirmed it—this wasn’t Aladdin’s doing.
The Response
Priya swung into action:
Account Lockdown:
She temporarily disabled Aladdin’s account to prevent further unauthorized access and Remote IP that was observed blocked on perimeter firewalls.
Incident Logging:
She documented the event, noting the unfamiliar device and IP address.
Enhanced Investigation:
Priya checked for other anomalies tied to the suspicious IP. This revealed several failed login attempts across multiple accounts towards O365, hinting at a broader brute force attack.
Credential Reset:
Aladdin’s password was reset, and he was required to enable Multi-Factor Authentication (MFA).
Cross-Check with Threat Intelligence:
Priya searched for the flagged IP address in threat intelligence feeds and open source tools like Virus Total, IBM Xforce exchange, MX toolbox, etc. It was listed as part of a known botnet.
Priya also checked the logs from 2:00 AM to 4:00 AM to see what kind of activities Aladdin performed from his account.
Based on that, she took all remediation steps and enforced tight security.
Lessons Learned
All the findings were that the documented incident was resolved within SLA, minimised the threat, and stopped without a breach, but the team treated it as a wake-up call and implemented below-mentioned measures:
Stronger Policies:
Enforced strict device registration for all employees.
MFA for All:
Enforced Multi-Factor Authentication is mandatory for every account.
Enhanced Anomaly Detection:
She tuned the Unfamiliar Sign-In Properties rule to consider additional factors, like known bad IPs, and also created a new rule for Unauthorized login from non-business hours.
Training and Awareness:
She recommended providing training and Educating employees about not sharing credentials, phishing attempts and the importance of reporting unusual account activity.
Priya’s vigilance and the "Unfamiliar Sign-In Properties" detection rule minimised the risk and further prevented what could have been a significant breach. The story became an example in the company’s next security training session, reminding everyone that even the smallest anomaly could hide a major threat.
And Priya? She ended her shift knowing she had made a difference, proud of how quickly and effectively the team had responded.
