Do you alert on suspicious sign-ins (impossible travel, new device, post-MFA hijack)?
Demonstrate that the organization detects and alerts on anomalous authentication events indicative of credential compromise, including impossible travel, unrecognized devices, and post-MFA session hijacking.
Description
What this control does
This control ensures that identity providers or security monitoring systems generate alerts when authentication events exhibit suspicious characteristics such as geographically impossible travel (e.g., login from New York followed by login from Singapore within an hour), use of previously unseen devices or browsers, or session activity following multi-factor authentication (MFA) that suggests token theft or session hijacking. These alerts enable security teams to detect compromised credentials or active account takeover attempts in real time. The control typically leverages conditional access policies, user and entity behavior analytics (UEBA), or identity threat detection platforms integrated with identity providers like Azure AD, Okta, or Google Workspace.
Control objective
What auditing this proves
Demonstrate that the organization detects and alerts on anomalous authentication events indicative of credential compromise, including impossible travel, unrecognized devices, and post-MFA session hijacking.
Associated risks
Risks this control addresses
- Compromised credentials are used by attackers from foreign or unexpected geographic locations without detection
- Attackers authenticate from unmanaged or malicious devices that bypass organizational security controls
- Session tokens or cookies are stolen post-authentication and reused to bypass MFA protections
- Credential stuffing or password spray attacks succeed without triggering monitoring due to lack of anomaly detection
- Insider threats authenticate from unusual locations or devices without investigation
- Phishing victims' credentials are exploited in real-time while security teams remain unaware
- Delayed detection of account takeover allows attackers prolonged access to sensitive systems and data
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's identity provider configuration for anomalous sign-in detection policies, including impossible travel, new device detection, and post-MFA anomaly rules.
- Review alert configuration settings to confirm thresholds, detection logic, and enabled alert types for suspicious authentication events.
- Request documentation of the geographic velocity and impossible travel detection algorithm parameters (e.g., time windows, distance thresholds).
- Examine logs from the past 90 days to identify examples of triggered alerts for impossible travel, new device sign-ins, or post-MFA anomalies.
- Interview security operations personnel to confirm alert routing, triage procedures, and escalation workflows for suspicious sign-in events.
- Select a sample of 5-10 triggered alerts and trace each to documented investigation records, including disposition and remediation actions taken.
- Perform a simulated test by authenticating from a new device or VPN endpoint and verify that an alert is generated and delivered to the security team within the expected timeframe.
- Review integration between the identity provider and SIEM or SOAR platforms to confirm alert ingestion, correlation, and automated response capabilities.