Problem statement
This article details how to check if the login attempts done by an attacker were successful.
Solution
Determine the IPs blocked by the anomaly detection feature by filtering the tenant logs with the type limit_mu and limit_wc. Once the IPs are determined, filter for successful login events from these IPs with the log type s. There may be other logs indicating successful login depending on the implementation details, so reviewing the available log types from the log even types document may be helpful.
As some of the successful login events may still be from a legitimate user on the same IP, once the potential suspicious logins are determined, further analysis may be necessary. This may be performed by looking into the events for the user. For example, checking if they are signing in from the same location, if their activity times have a pattern, and if their user agents in the logs are consistent for other login events from other IPs may be helpful. If the suspicious login event does not match the pattern, it may have a higher probability that the attacker may have compromised the account.