Learn how to effectively investigate, contain and remediate this incident by following our Response Playbook.
Unusual Login incidents are anomalous authentication events that deviate from the normal patterns of an administrative or user account, meaning that there were an abnormal number of authentication events at a time where the user does not normally authenticate.
Unlike traditional brute force attacks that rely on sheer volume, these incidents often exploit valid credentials—frequently obtained from infostealers or the compromised credential market—bypassing the need to technically breach the perimeter.
By detecting this malicious activity, Lumu provides visibility into three critical areas:
You can use Lumu Discover to quickly analyze your organization's compromised credential and exposed attack surface.
This document outlines how the Lumu delivers valuable insight into the detection of this attack by providing the necessary context—Scope, Severity, and Source—presenting a contextualized narrative of the attack that supports the decision-making of your organization's response team.
The Lumu captures specific metadata fields to facilitate forensic analysis and scope determination. The data collected for this incident includes:
The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:
1. Summary: This section highlights critical information, including the First and Last Unusual Logins and the Incident Duration. This data establishes a general scope of the incident, allowing analysts to quickly differentiate between a momentary anomaly (like a user traveling) and a sustained account takeover attempt.
2. Unusual Login Events: This section displays the most relevant data regarding the unusual login activity. It quantifies the anomaly's overall severity and scope, allowing analysts to immediately assess the magnitude of the threat. On this section you will find:
3. Unusual Events: This detailed list breaks down each individual unusual login event, displaying the exact timestamp and endpoint of each login.
While the Lumu Portal displays the most critical data points—such as the top attacking sources and target users—complex attacks often involve volumes of traffic that exceed what can be efficiently displayed on a single screen. For that reason, the Lumu allows in-depth investigations with its Export Feature. It allows analysts to move beyond the high-level summary and access the complete forensic dataset of the incident.
You can export data using the dropdown menu located at the top of the page (1) or using the button below the Summary section (2).
You can export the following data for this incident: