SIEM Alerting on Successful Logins From Outside Domains

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
edited February 2020 in Incident Response
Our new SIEM tool called SecureOnix seems to be alerting on successful logins from external domains.  Does anyone have a clue on what might be causing this?  Our domain is ourcompany.com.  So Becky Sue who, when employed with us, used to have a corporate email becky.sue@ourcompany.com has already left the company.  However when she logs on to a completely external domain address becky.sue@anothercompany.com an alert triggers into our SIEM tool.  It's kind of weird.  All the alerts seem to be coming from ex-employees.

Any idea what could be causing this?  Our IT environment is a hybrid-cloud running through Azure.  As always, thanks for your tips, suggestions, and overall participation :smile:
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Tagged:
· Share on FacebookShare on Twitter

Comments

  • si20si20 Member Posts: 543 ■■■■■□□□□□
    Never used azure, but is it possible that before your employees left that they set up their emails to re-direct? I suppose for that to happen, they'd have needed to know their new company email address. Weird for sure. Two different companies shouldn't be linked together in any way. This sounds very, very dangerous security-wise.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.