User activity from unexpected country
Description
AlphaSOC detected user authentication from a country with no previous login history. This indicates potential account compromise where threat actors access systems from unexpected locations.
Impact
Unauthorized access from new regions suggests stolen credentials or account compromise. Adversaries can leverage breached accounts to access sensitive data, deploy malware, or establish persistence in the AWS environment.
Severity
| Severity | Condition |
|---|---|
Low | Recurring user activity from unexpected country |
Medium | User activity from previously unseen country |
Investigation and Remediation
Review authentication logs to identify the specific user account, source IP, and attempted actions. Compare against expected user travel patterns and business operations to verify the legitimacy of this action. If unauthorized access is confirmed, disable the account, reset credentials, and review activity during this period.
Known False Positives
- Use of new VPN exit nodes
- Changes in remote work location