Hello Sophos Community, We received an alert from Sophos Central and Sophos XDR indicating a potential compromise of a user account. We've already taken some actions, such as enabling MFA and requesting a password reset, but we would like to better understand the exact reason behind this alert. The alert was triggered based on the following points: Anomalous Traffic Patterns: Unusual network behavior was detected for this account, deviating from the user's normal activity. Multiple Failed Login Attempts: There were several failed login attempts in a short period, suggesting a possible brute force attempt. Unexpected Login Locations: The account was accessed from geographically distant locations, which is uncommon for the user. Access to Unusual Applications: The account interacted with services/applications outside the user's normal workflow. Threat Intelligence Correlation: Some of the domains and IPs accessed are linked to known threats. My question is: What exactly in the account’s behavior could have triggered the alert in Sophos Central and XDR? Are these indicators sufficient to justify an account compromise alert, or could there be other factors we might be overlooking? I would appreciate any guidance that could help us better understand these alerts and if there is anything else we should be checking.

Why Did Sophos Central and XDR Generate an Alert for a Possible Account Compromise?

Hello Sophos Community,

We received an alert from Sophos Central and Sophos XDR indicating a potential compromise of a user account. We've already taken some actions, such as enabling MFA and requesting a password reset, but we would like to better understand the exact reason behind this alert.

The alert was triggered based on the following points:

Anomalous Traffic Patterns: Unusual network behavior was detected for this account, deviating from the user's normal activity.
Multiple Failed Login Attempts: There were several failed login attempts in a short period, suggesting a possible brute force attempt.
Unexpected Login Locations: The account was accessed from geographically distant locations, which is uncommon for the user.
Access to Unusual Applications: The account interacted with services/applications outside the user's normal workflow.
Threat Intelligence Correlation: Some of the domains and IPs accessed are linked to known threats.

My question is: What exactly in the account’s behavior could have triggered the alert in Sophos Central and XDR? Are these indicators sufficient to justify an account compromise alert, or could there be other factors we might be overlooking?

I would appreciate any guidance that could help us better understand these alerts and if there is anything else we should be checking.