Unusual Login Detection

Unusual Login Detection

NotesLearn how to effectively investigate, contain and remediate this incident by following our Response Playbook.

Unusual Login incidents are anomalous authentication events that deviate from the normal patterns of an administrative or user account, meaning that there were an abnormal number of authentication events at a time where the user does not normally authenticate.

Unlike traditional brute force attacks that rely on sheer volume, these incidents often exploit valid credentials—frequently obtained from infostealers or the compromised credential market—bypassing the need to technically breach the perimeter.

By detecting this malicious activity, Lumu provides visibility into three critical areas:

  • Compromised credentials: Identifies successful access using stolen credentials before unauthorized access leads to further damage or lateral movement.
    NotesYou can use Lumu Discover to quickly analyze your organization's compromised credential and exposed attack surface.
  • Suspicious authentication patterns: Highlights irregular login times, unusual login rates, or suspicious behavior originating from standard or administrative accounts.
  • Attack correlation: Allows security teams to verify whether prior attack attempts (such as malware, phishing, or network scanning) resulted in a successful compromise of a user account.

This document outlines how the Lumu delivers valuable insight into the detection of this attack by providing the necessary context—Scope, Severity, and Source—presenting a contextualized narrative of the attack that supports the decision-making of your organization's response team.

Collected Data

The Lumu captures specific metadata fields to facilitate forensic analysis and scope determination. The data collected for this incident includes:

  • Targeted User: The specific account exhibiting the anomalous login behavior.
  • Endpoint: The IP address or endpoint from which the unusual login originated.
  • Login Time: The exact timestamp of the authentication event, highlighting off-hour anomalies.
  • Affected domain: Domain in which the unusual logins happened.

Incident Details

The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:


1. Summary: This section highlights critical information, including the First and Last Unusual Logins and the Incident Duration. This data establishes a general scope of the incident, allowing analysts to quickly differentiate between a momentary anomaly (like a user traveling) and a sustained account takeover attempt.

2. Unusual Login Events: This section displays the most relevant data regarding the unusual login activity. It quantifies the anomaly's overall severity and scope, allowing analysts to immediately assess the magnitude of the threat. On this section you will find:

  • Unusual events: indicating the number of distinct anomalous events, helping to identify if it is an isolated incident or a recurring pattern.
  • Endpoints: Indicates the number of originating endpoints. This reveals if the compromised account is being accessed from a single unauthorized location or distributed across multiple regions.
  • Logins Detected: The total number of logins detected for the duration of the incident.
  • User Behavior Heatmap: A visual analytical tool designed to help analysts quickly identify anomalous login patterns by mapping authentication volume against time.

3. Unusual Events: This detailed list breaks down each individual unusual login event, displaying the exact timestamp and endpoint of each login.

Incident data export

While the Lumu Portal displays the most critical data points—such as the top attacking sources and target users—complex attacks often involve volumes of traffic that exceed what can be efficiently displayed on a single screen. For that reason, the Lumu allows in-depth investigations with its Export Feature. It allows analysts to move beyond the high-level summary and access the complete forensic dataset of the incident.

You can export data using the dropdown menu located at the top of the page (1) or using the button below the Summary section (2).


Exportable data

You can export the following data for this incident:

  • All unusual events
    Generates a csv file with the information of every unusual login event recorded in the incident.
  • Unusual Logins from a single event
    Generate a csv file with the login information of every login recorded within a single event (an incident can have multiple events). You can directly download this file from the unusual event details.


      Get an AI Summary

          • Related Articles

          • Login Brute force Incident Response Playbook

            The Lumu Login Brute force Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life ...
          • General Incident Response Playbook

            Lumu’s Incident Response Playbooks are based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST) and provide essential recommendations for responding to information security incidents. ...
          • Incident Details - Detections

            The Detections Panel is the core investigative hub within the Lumu Portal. When suspicious activity on your network escalates into a confirmed incident, this panel serves as your team's starting point for rapid triage and response. It is designed to ...
          • Unusual Login Incident Response Playbook

            The Lumu Unusual Login Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle ...
          • Anonymized Login Detection

            Learn how to effectively investigate, contain and remediate this incident by following our Response Playbook. Anonymized Login incidents occur when an account within EntraID authenticates from anonymized infrastructure, such as VPNs, proxy servers, ...