Post cover image

June 10, 2026

The Login From India — and Why I Didn’t Close the Alert

Some alerts close themselves.

Melike Fazlioglu | SOC Analyst

1 min read

You look at them, check the basics, and within two minutes you know: false positive. Mark it, move on. There are fifty more in the queue.

This one didn't close itself.

— -

It came in during a normal shift. A successful authentication — nothing blocked, nothing failed. But the location caught my eye.

India.

None

I checked the user's login history. Weeks of activity, always from the same region, same patterns. This was the first time I'd ever seen India in that list.

That's the thing about location anomalies. The alert alone doesn't tell you much. A VPN, a travelling employee, a misconfigured IP lookup — there are plenty of innocent explanations. The alert is just a question. Your job is to answer it properly.

— -

I pulled the audit logs. Checked the login details, the device fingerprint, the session behaviour. Nothing was obviously wrong — but nothing was obviously right either.

I tried to reach the user directly. No response.

So I escalated to their manager.

That's when I found out: the user was on holiday. In India.

— -

Case closed, right?

Not quite.

Even after I knew the explanation, I kept watching. Holidays are exactly when attackers move — when someone is out of routine, distracted, logging in from unfamiliar networks. A hotel WiFi. An airport lounge. Environments you don't control.

So I kept an eye on the account activity while the user was away. Monitored for anything that looked out of pattern — unusual access times, sensitive data queries, permission changes.

Nothing came of it. The trip ended, the user came back, the alert stayed closed.

— -

But here's what I want you to take from this:

The right call wasn't just "user is on holiday, close the alert."

The right call was: verify, then stay curious.

Because the answer to "is this suspicious?" is sometimes "not this time." But getting to that answer properly — checking the logs, trying to reach the user, looping in the manager, monitoring the account — that's not overcautious. That's the job.

A false positive handled carelessly is just a breach you didn't catch yet.

— -

I work in security operations, investigating alerts across enterprise environments. Follow for more real-world SOC perspectives.