SIEM Alerting on Successful Logins From Outside Domains

egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+Member Posts: 365 ■■■■□□□□□□
edited February 4 in Incident Response
Our new SIEM tool called SecureOnix seems to be alerting on successful logins from external domains.  Does anyone have a clue on what might be causing this?  Our domain is ourcompany.com.  So Becky Sue who, when employed with us, used to have a corporate email [email protected] has already left the company.  However when she logs on to a completely external domain address [email protected] an alert triggers into our SIEM tool.  It's kind of weird.  All the alerts seem to be coming from ex-employees.

Any idea what could be causing this?  Our IT environment is a hybrid-cloud running through Azure.  As always, thanks for your tips, suggestions, and overall participation :smile:

Comments

  • si20si20 Member Posts: 519 ■■■■□□□□□□
    Never used azure, but is it possible that before your employees left that they set up their emails to re-direct? I suppose for that to happen, they'd have needed to know their new company email address. Weird for sure. Two different companies shouldn't be linked together in any way. This sounds very, very dangerous security-wise.
Sign In or Register to comment.