INCIDENT RESPONSE — EASY ⭐⭐
IR-03
SUSPICIOUS LOGIN ALERT — CREDENTIAL STUFFING TRIAGE
Loading incident: SOC-IR-0044 — Unusual authentication activity...

OBJECTIVES

Read the incident ticket
Identify the failed login spike
Find the successful login from unusual location
Check if MFA was enforced
Look up the suspicious IP in threat intel
Determine the affected account
Submit the IR report
🎫
Incident Ticket
📋
Auth Logs
🌍
Geo Analysis
🔎
Threat Intel
📝
Notes
📊
IR Report
SOC WORKSTATION
Ticket
Auth Logs
Geo Analysis
Threat Intel
Notes
IR Report
--:--:--
PHASE 1 — TRIAGE
MISSION BRIEF
IR-06 — EASY ⭐⭐ — SEC+ / CySA+

SUSPICIOUS LOGIN ALERT

TICKET: SOC-IR-0044 | Analyst: You | Priority: HIGH

SCENARIO

The SIEM fired an alert at 02:14 UTC for unusual authentication activity on the corporate Azure AD tenant. A user account shows multiple failed logins followed by a successful login from a foreign IP. Your job is to triage this incident, determine what happened, and recommend containment actions.

WHAT TO DO

  • Read the Incident Ticket first
  • Open Auth Logs — look for the spike, then the successful login
  • Use Geo Analysis to see where logins came from
  • Check the suspicious IP in Threat Intel
  • Document your findings and submit the IR Report

KEY CONCEPTS

Credential stuffing — attacker uses username/password pairs from a breach database to attempt logins at scale. Different from brute force — uses known credentials, not guesses.

MFA — even if credentials are correct, MFA prevents access without the second factor. Its absence is a key finding.

Impossible travel — a login from a location geographically impossible given the user's previous location is a strong indicator of account compromise.

INCIDENT TICKET — SOC-IR-0044
SOC-IR-0044 — Unusual Authentication Activity
Severity:
HIGH
Created:
2026-05-08 02:17 UTC
Source:
Azure AD Sign-in Logs — SIEM Alert
Alert rule:
Multiple failed logins followed by success from new country
Account:
[email protected]
Status:
OPEN — Awaiting analyst triage
ALERT DESCRIPTION

At 02:14 UTC the SIEM detected 47 failed login attempts against the account [email protected] over a 12-minute window, originating from multiple IP addresses in the 185.220.x.x range. At 02:26 UTC a successful login was recorded from IP 185.220.101.45 (geo: Kyiv, Ukraine). The account's normal login pattern is from 10.10.14.x (internal network, Austin TX) between 08:00–18:00 UTC.

MFA status for this account: NOT ENROLLED

ANALYST TASKS
1. Confirm the credential stuffing pattern in auth logs
2. Identify the successful compromise event
3. Determine MFA status and its impact
4. Look up the source IP in threat intelligence
5. Recommend immediate containment actions
AZURE AD SIGN-IN LOGS — 2026-05-08
All
Failed
Successful
t.brennan only
Timestamp (UTC)
User
Source IP
Result
Location
Click a log entry to inspect it
GEO ANALYSIS — t.brennan Login Locations
LOGIN ORIGIN ANALYSIS — Last 30 Days vs. Incident Window
⚠ Impossible travel: User was logged in from Austin TX at 18:44 UTC on 2026-05-07. A login from Kyiv, Ukraine at 02:26 UTC (7h 42m later) is geographically plausible by flight time but the user's pattern shows no international travel history.
THREAT INTEL LOOKUP
Enter an IP address from the auth logs to check threat intelligence feeds...
ANALYST NOTES
IR REPORT — SOC-IR-0044
INCIDENT FINDINGS
Score: 0 / 7