heroui logo

Sign In from Rogue State

Panther Rules

View Source
Summary
The 'Sign In from Rogue State' rule is designed to detect authentication attempts from geographical regions recognized as potential sources of cyber threats. This rule primarily targets login events that originate from countries known to be associated with malicious cyber activities. It leverages various log sources including Asana, AWS CloudTrail, Azure, and Okta audit logs to identify such events. The severity of this detection is classified as medium, reflecting its importance in the monitoring landscape. The rule has a de-duplication period of 60 minutes, allowing a single alert for multiple sign-in attempts emanating from the same source within this timeframe.
Categories
  • Identity Management
  • Cloud
  • Endpoint
Data Sources
  • User Account
  • Cloud Service
  • Application Log
ATT&CK Techniques
  • T1078.004
Created: 2024-11-13