User activity from previously unseen ASN
Description
AlphaSOC detected user authentication from a previously unseen Autonomous System Number (ASN). Each ASN represents a distinct routing domain controlled by network operators and internet service providers. This finding indicates access from an unfamiliar network provider or geographic location.
Impact
Access from unknown networks can indicate account compromise, unauthorized access attempts, or credential theft. Adversaries often use different networks or locations to evade detection and maintain persistence in the environment.
Severity
| Severity | Condition |
|---|---|
Low | Recurring user activity from unexpected ASN |
Medium | User activity from previously unseen ASN |
Investigation and Remediation
Review authentication logs to identify the user, source IP, and associated activities. Compare the ASN against access patterns and verify the legitimacy of this action. If unauthorized access is confirmed, disabled the affected account and reset credentials.
Known False Positives
- Users traveling or working remotely
- Network provider changes or ISP migrations
- VPN or proxy service usage