EVENT
Multiple Login Connections From Different IP Addresses.
RECOMMENDED ACTION
This event provides the ability to observe application logins for a single application, which can commonly occur from multiple IP Addresses because of connections from multiple devices. Two devices should be expected and are common (computer, phone), three or more may be a cause for investigation.
ALERT TYPE
Comments
1 comment
Does the alert trigger based on 2 IP's observed or more than 2 IP's observed? Could this be included in the document, as well as the time frame this is checked against?
Please sign in to leave a comment.