Spike in Logon Events
A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/06/10"
3integration = ["auditd_manager", "endpoint", "system"]
4maturity = "production"
5updated_date = "2023/07/27"
6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
7min_stack_version = "8.3.0"
8
9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job found an unusually large spike in successful authentication events. This can be due to password
14spraying, user enumeration or brute force activity.
15"""
16false_positives = [
17 """
18 Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or
19 password spraying activities may trigger this alert.
20 """,
21]
22from = "now-30m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = "auth_high_count_logon_events"
26name = "Spike in Logon Events"
27references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
28risk_score = 21
29rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9"
30severity = "low"
31tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"]
32type = "machine_learning"
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1110"
38name = "Brute Force"
39reference = "https://attack.mitre.org/techniques/T1110/"
40
41
42[rule.threat.tactic]
43id = "TA0006"
44name = "Credential Access"
45reference = "https://attack.mitre.org/tactics/TA0006/"```
References
Related rules
- Spike in Failed Logon Events
- Spike in Successful Logon Events from a Source IP
- Unusual Login Activity
- Rare User Logon
- Unusual Hour for a User to Logon