locked
Suspicion of identity theft based on abnormal behaviour By Users RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    A user has been identified as Suspicion of identity theft based on abnormal behavior

    The log shows that he accessed 37 resources whereas after investigations he confirmed that he did not access 37 resources by himself but logged onto 2 resources alone.

    I had gone through your links and articles but i did not answer my question.

    please let me know what could be the reason it shows he accessed 37 resources. Why it showed 37 resources accessed when he only logged onto 2 resources. 

    If i exclude this user, will the same user never be detected if he really does suspicious access from the same ipaddress to same destination?

    Monday, July 6, 2020 7:02 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    If the alerts shows he accessed 37 resources, then most likely he did...

    He might only remembers 2/ or only directly accessed those 2, but actions under his account accessed more...

    What are those other resources? do you have logs on those specific resources or some of them which he claims he did not access to see if you can find access evidence there as well?

    Did he use any new apps that might have accessed those resources under his account without him knowing it?

    Any chance of malware on this device?

     Excluding his account for this detector will prevent this detector from reporting this user ever again, doesn't matter from where or to where.

    I would not do that until I have proper explanation of what happened and if it is legit or not.

    Monday, July 6, 2020 7:33 AM