User Logged In From New Location
This alert occurs when Lacework detects a known user logged in from a location not associated with the user.
Why this Alert is Important
User logins to the data center are often predictable—from a corporate office, through a VPN, or from a home office. Although home office IPs are often dynamically allocated, the geo-location does not change upon lease renewal. A user login from a new location may indicate compromised user credentials.
Investigation
If the anomalous login source location is not easily explained, contact the user and confirm the login.
Resolution
If the login is determined to be the result of compromised credentials, disable the account. Perform local forensics, look for signs of lateral movement, and an alternative method of persistence. Take the necessary steps to restore the host to a known, clean state as necessary.