Scattered Identity
Threat hunting Scattered:
Look for low prevalence logins with IPs.
Look for logins from multiple IPs.
Monitor adding users to high privilege groups.
Monitor password resets of privileged accounts.
Hunt for reading/access of incident email.
Last updated
