Multiple Login Connections From Different IP Addresses.
This event provides the ability to observe application logins for a single application, which can commonly occur from multiple IP Addresses because of connections from multiple devices. Two devices should be expected and are common (computer, phone), three are not unusual (computer, phone, tablet), 4 or more may be a cause for investigation.
Does the alert trigger based on 2 IP's observed or more than 2 IP's observed? Could this be included in the document, as well as the time frame this is checked against?
Please sign in to leave a comment.