How to Triage User Malicious Activity via ConnectWise Service Ticket generated by Octiga?

When you saw an Octiga Alert Suspicious Activity Service Ticket has been generated in your ConnectWise instance, how can you triage whether the malicious user activities are dangerous or safe?

An example of suggested procedures on how to triage and quickly perform action(s) between ConnectWise Manage and Octiga is shown below,

1. Open the service ticket and view the details (Ref. to image 1)

2. Look at the notes (Ref. to image 1)

   • check each activity's operation type and workload (Ex. User Logged In (Azure Active Directory))

   • check where those activities happened from which country and the number of occurrences

3. Click on the hyperlink 'Click Here to view User Details' under the Initial Description, which will redirect you to Octiga in a new tab and point you to the detail view where you can see all the activity summaries and details from that user. (Ref. to image 1)

4. Click on the badge to open up the event details modal and check for the recent user's critical/danger events. (Ref. to image 2)

5. Navigate adjacent dates from the chart, and check those events' details by clicking the event item at the bottom (Ref. to image 3)