Investigating Suspicious Login Activity

Overview

Suspicious login investigation combines Auth Log, Security Dashboard, Activity Log, IP information, device data, and user risk indicators.

What this feature does

It gives administrators a practical workflow for reviewing login events that may indicate account compromise or attempted attack.

Why it is useful

• It helps avoid overreacting to isolated events.
• It helps identify genuine threats faster.
• It connects authentication data with later activity inside the CRM.

Who should read this?

RISE Admin, Security Officer, System Owner, Support Engineer.

Where to find it

Rise Audit Pro → Auth Log, Security Dashboard, Activity Log, User Risk Scores, and Session Timeline.

How to use it

1. Start with the suspicious login or failed login event.
2. Review IP address, country, user agent, and timestamp.
3. Check whether the same user performed sensitive actions after login.
4. Review other events from the same IP address.
5. Check User Risk Scores or Security Dashboard.
6. Document the result and take action if needed.

Example workflow

A successful login appears from a new country. The admin checks whether the user performed invoice changes after login, compares device information, contacts the user, and resets the password if the login is not recognized.

Recommended investigation checklist

• Was the login successful or failed?
• Is the country or IP expected?
• Is the device or browser normal for the user?
• Did sensitive activity happen after login?
• Are there repeated attempts against the same user or from the same IP?
• Does the user confirm the login?

Screenshot

Common mistakes

• Looking at Auth Log without checking Activity Log.
• Ignoring successful logins from unusual locations.
• Not documenting the final investigation result.
• Sharing sensitive security data outside authorized roles.

Related articles

• New Country Login Detection
• User Risk Scores
• Activity Log Overview
• Session Timeline