SIEM Alerting on Successful Logins From Outside Domains

Our new SIEM tool called SecureOnix seems to be alerting on successful logins from external domains. Does anyone have a clue on what might be causing this? Our domain is ourcompany.com. So Becky Sue who, when employed with us, used to have a corporate email becky.sue@ourcompany.com has already left the company. However when she logs on to a completely external domain address becky.sue@anothercompany.com an alert triggers into our SIEM tool. It's kind of weird. All the alerts seem to be coming from ex-employees.

Any idea what could be causing this? Our IT environment is a hybrid-cloud running through Azure. As always, thanks for your tips, suggestions, and overall participation

Find more posts tagged with

odd alerts

siem configuration

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

si20

Never used azure, but is it possible that before your employees left that they set up their emails to re-direct? I suppose for that to happen, they'd have needed to know their new company email address. Weird for sure. Two different companies shouldn't be linked together in any way. This sounds very, very dangerous security-wise.