This event occurs when a known user logged in from a location not associated with the user.
Why this Event is Important
User logins to the data center are often predictable—from a corporate office, through a VPN, or from a home office. Although home office IPs are often dynamically allocated, the geo-location does not change upon lease renewal. A user login from a new location may indicate compromised user credentials.
If the anomalous login source location is not easily explained, contact the user and confirm the login.
If the login is determined to be the result of compromised credentials, disable the account. Perform local forensics, look for signs of lateral movement, and an alternative method of persistence. Take the necessary steps to restore the host to a known, clean state as necessary.