NR / 01
Northern Reach
ONLINE Offensive security tooling, adversary emulation, research & analysis.

Report

Detection Engineering Notes

security
security detection

Collected observations from a recent identity telemetry review.

Background

During routine review of authentication, VPN, and endpoint telemetry, a low-volume cluster of suspicious login activity stood out from normal workforce behavior. These notes capture the initial findings and the workflow used to validate them.

Methodology

Events were normalized across identity, VPN, and device telemetry over a 72-hour window, then grouped by user, source address, device posture, and MFA outcome.

Primary sources: Okta, VPN gateway, EDR
Window:          72h
Focus:           MFA failures, impossible travel, token reuse
Method:          Correlate user, IP, ASN, device, session

Observations

  1. Baseline behavior — Most users showed stable login geography, expected device posture, and predictable MFA completion patterns.
  2. MFA pressure — A small set of accounts received repeated push prompts from residential IP space spread across several ASNs.
  3. Session reuse — One stale service account token appeared in multiple sessions after normal operating hours, without a matching deployment event.

Next Steps

  • Roll out a geovelocity rule for privileged users
  • Require stronger conditional access for admin workflows
  • Add detections for suspicious token reuse and MFA fatigue clusters

Further analysis is pending log enrichment and follow-up scoping.