This event occurs when a known user logged in from an IP address not associated with the user.
Why this Event is Important
User logins to the data center are often predictable—from a corporate office, through a VPN or from a home office. Although home office IPs are often dynamically allocated, they usually do not change upon lease renewal. A user login from a new IP address may indicate compromised user credentials.
If the anomalous login source IP address is not easily explained, contact the user and confirm the login.
If the login is determined to be the result of compromised credentials, disable the account. Perform local forensics, look for signs of lateral movement, and an alternative method of persistence. Take the necessary steps to restore the host to a known, clean state as necessary.