Successful login from blacklisted IP address

Alert title: “Successful login from blacklisted IP address”

Description: Alerts if a successful login is made from an IP address which matches the blacklists we check against.

Options:

  • It is possible to ignore a specific IP address

The problem: This alert is triggered when a successful login is detected from a ‘black-listed’ IP address.  This is an indicator of suspicious activity.

Impact: If it was not one of your team members,  then it may be an indication of an account breach (intrusion).

Suggested steps: Engage a technician to confirm that the alert is accurate.  Change passwords for all impacted services, and where any common passwords are shared (make sure you have a unique password per service). Undertake any required steps as advised by a suitable technician.