| Alert ID | MS-A001 |
| Alert Name | Access by the same user to a system from multiple sources |
| Description | This alert is triggered when Windows users is accessing same machines from multiple locations within a predefined time frame. |
| Severity Level | High |
| Threat Indicator | Compromised Account |
| MITRE ATT&CK Tactics | Initial Access Defense Evasion Credential Access |
| Log sources | Windows Security Event Log |
| Recommendations | 1. Identify user account which credentials that have been compromised 2. Reset password for the compromised Windows account 3. Identify lateral movement of compromised user account throughout the enterprise by performing additional queries in Sentinel platform. |