Spike in Logon Events

 1[metadata]
 2creation_date = "2021/06/10"
 3integration = ["auditd_manager", "endpoint", "system"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job found an unusually large spike in successful authentication events. This can be due to password
14spraying, user enumeration or brute force activity.
15"""
16false_positives = [
17    """
18    Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or
19    password spraying activities may trigger this alert.
20    """,
21]
22from = "now-30m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = "auth_high_count_logon_events"
26name = "Spike in Logon Events"
27references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
28risk_score = 21
29rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9"
30severity = "low"
31tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"]
32type = "machine_learning"
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1110"
38name = "Brute Force"
39reference = "https://attack.mitre.org/techniques/T1110/"
40
41
42[rule.threat.tactic]
43id = "TA0006"
44name = "Credential Access"
45reference = "https://attack.mitre.org/tactics/TA0006/"```