How do you triage if a brute-force attack succeeded?

(1) Identify successful login (event 4624) following multiple failures (event 4625) from same source IP. (2) Check legitimate use — was the user actually working at that time? Pull sign-in logs from M365/ADFS. (3) Geographic anomaly — login from country user has never used before. (4) Velocity check — was there a legitimate login from another country within hours? Impossible travel = compromised. (5) Post-login activity — what did the account do after login? Database queries? File downloads? Email sent to new addresses? (6) Force password reset, revoke sessions, MFA enrollment. (7) Hunt for other accounts brute-forced by same IP — likely campaign, not isolated incident. (8) Detection: write Sigma rule for 'failed authentication burst followed by success from same IP within 5 minutes'.

Want the full explanation? This is the atomic answer suitable for quick interview prep. For the structured deep-dive — including code samples, strong-answer vs weak-answer notes, common follow-up questions, and how this fits the larger soc analyst topic — see the full Q&A on Networkers Home:

→ SOC Analyst Interview Hub — Full Q&A with deep context

How Networkers Home prepares students for this kind of question

This question reflects real interview rounds at Bangalore's top product, BFSI, and GCC cybersecurity teams. Networkers Home's flagship courses include mock interview sessions drilling exactly these question patterns, with feedback from interviewers who have hired for the role.

→ View the complete soc analyst interview prep hub
→ View the related Networkers Home course
→ Book a free career consultation

How do you triage if a brute-force attack succeeded?

How Networkers Home prepares students for this kind of question

Related Investigation questions

Q. User clicked phishing link. What's your investigation flow?