Identity Compromise Investigation

Investigate suspicious identity activity step-by-step. Identify account takeover signals, assess blast radius, and produce a professional SOC ticket.

⚡ Takes ~2–3 minutes 📊 Output: Summary + IOCs 🔒 No login required

No setup needed — just paste and run

  • Impossible travel alert triggered
  • Multiple failed login attempts
  • MFA fatigue attack suspected
1

Login Anomaly Analysis

You are a SOC analyst investigating a potential identity compromise alert. Assume an enterprise environment unless I specify otherwise. Paste login logs, Azure AD alerts, Okta logs, or VPN access logs below. Analyze for: 1. Impossible travel — same account logging in from two distant locations within a short timeframe 2. Unusual login time — outside normal working hours for this user 3. Unfamiliar device or user agent 4. Login from high-risk country or anonymizing infrastructure (VPN, Tor, proxy) 5. Multiple failed logins followed by success (brute force indicator) 6. MFA fatigue — repeated MFA push requests If key baseline information is missing, explicitly list what additional context is needed before making a conclusion. Output format: IDENTITY ALERT OVERVIEW - Account: - Alert Type: - Source Tool: ANOMALIES DETECTED | Anomaly Type | Evidence | Risk Level | Confidence | BASELINE QUESTIONS TO ANSWER - Does this user normally log in from this location? - Does this user normally log in at this time? - Is this device registered to this user? Only use data present in the logs provided. Do not guess or assume values. [PASTE LOGIN LOGS OR ALERT HERE]
2

Threat Context

Based on the login anomaly from Step 1, determine the likely attack scenario. Analyze whether this matches: 1. Account takeover via credential stuffing 2. Phishing — stolen credentials used immediately 3. MFA fatigue attack — user approved malicious push 4. Insider threat — legitimate user acting maliciously 5. Session hijacking — attacker stole active session token 6. Password spray attack For each possible scenario: - Cite the specific evidence that supports it - Rate likelihood: High / Medium / Low Then answer: - Has the attacker established persistence? (new MFA device added, OAuth app authorized, forwarding rule created) - Is there evidence of lateral movement from this account? If no clear threat context exists, state: "Insufficient data to determine attack scenario. Recommend immediate user verification."
3

Blast Radius Assessment

Based on all previous analysis, assess the potential blast radius of this identity compromise. Determine: 1. What resources does this account have access to? Only infer resource sensitivity if the logs explicitly show role, title, or system ownership. Otherwise state: "Not enough context to determine resource sensitivity." 2. What actions did the account take after the suspicious login? - Emails sent or forwarded - Files accessed or downloaded - Admin actions performed - New accounts created - OAuth applications authorized 3. Were any high-risk actions performed? - Password reset for other accounts - MFA device changes - Privilege escalation - Mass file download or deletion - Email forwarding rules created ⚠️ Mark highest risk findings as CRITICAL Provide: - Immediate containment actions required - Accounts or systems that may also be compromised - Evidence to preserve for forensics
4

SOC Ticket Summary

Write a professional SOC ticket for this identity compromise investigation. Include: - What triggered the investigation (one sentence) - Current assessment: confirmed compromise, suspected compromise, or false positive - Key evidence supporting the assessment - Immediate actions taken or required Length: 3-4 sentences maximum. Format: suitable for pasting into a case management system. Severity: Critical / High / Medium / Low Disposition: True Positive / False Positive / Needs Investigation CONTAINMENT CHECKLIST [ ] Disable compromised account [ ] Revoke all active sessions [ ] Reset password [ ] Review and remove suspicious MFA devices [ ] Check for email forwarding rules [ ] Review OAuth app permissions [ ] Notify affected user via alternate channel IOCS | IOC Type | Value | Context | If no IOCs identified, state: "No IOCs identified."

Example Output

Here's what you can expect after completing this workflow:

IDENTITY ALERT OVERVIEW ======================== Account: sarah.johnson@company.com Alert Type: Impossible Travel Source Tool: Microsoft Azure AD Identity Protection ANOMALIES DETECTED ================== | Anomaly | Evidence | Risk Level | Confidence | | Impossible travel | Login from New York at 09:00, London at 09:45 (same account) | Critical | High | | Unfamiliar device | New device fingerprint, not registered | High | High | | Off-hours access | London login at 2:45 AM local time | Medium | Medium | THREAT CONTEXT ============== Most likely scenario: Account takeover via phishing (High confidence) - Credentials stolen via phishing email - Attacker logged in immediately from London VPN - Legitimate user was already active in New York BLAST RADIUS ============ - Email access confirmed (Outlook 365) - 3 files downloaded from SharePoint in London session - No admin actions detected - No forwarding rules found yet SOC TICKET ========== Severity: CRITICAL Disposition: True Positive — Confirmed Compromise Azure AD detected impossible travel for sarah.johnson — simultaneous logins from New York and London within 45 minutes. Account has been disabled and all sessions revoked. Password reset and MFA re-enrollment required before account reinstatement.

Generate SOC Investigation Summary

Populate a ready-to-paste investigation report for your ticket or incident log.

Copied!