Unusual Login Activity

  1[metadata]
  2creation_date = "2020/03/25"
  3integration = ["auditd_manager", "endpoint", "system"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 50
  9author = ["Elastic"]
 10description = "Identifies an unusually high number of authentication attempts."
 11false_positives = [
 12    """
 13    Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured
 14    applications or account lockouts could trigger this alert.
 15    """,
 16]
 17from = "now-45m"
 18interval = "15m"
 19license = "Elastic License v2"
 20machine_learning_job_id = "suspicious_login_activity"
 21name = "Unusual Login Activity"
 22setup = """## Setup
 23
 24This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
 25- Elastic Defend
 26- Auditd Manager
 27- System
 28
 29### Anomaly Detection Setup
 30
 31Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
 32
 33### Elastic Defend Integration Setup
 34Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 35
 36#### Prerequisite Requirements:
 37- Fleet is required for Elastic Defend.
 38- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 39
 40#### The following steps should be executed in order to add the Elastic Defend integration to your system:
 41- Go to the Kibana home page and click "Add integrations".
 42- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 43- Click "Add Elastic Defend".
 44- Configure the integration name and optionally add a description.
 45- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 46- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 47- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 48- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 49For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 50- Click "Save and Continue".
 51- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 52For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 53
 54### Auditd Manager Integration Setup
 55The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
 56Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
 57
 58#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
 59- Go to the Kibana home page and click “Add integrations”.
 60- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
 61- Click “Add Auditd Manager”.
 62- Configure the integration name and optionally add a description.
 63- Review optional and advanced settings accordingly.
 64- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 65- Click “Save and Continue”.
 66- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
 67
 68#### Rule Specific Setup Note
 69Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
 70However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
 71- For this detection rule no additional audit rules are required.
 72
 73### System Integration Setup
 74The System integration allows you to collect system logs and metrics from your servers with Elastic Agent.
 75
 76#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system:
 77- Go to the Kibana home page and click “Add integrations”.
 78- In the query bar, search for “System” and select the integration to see more details about it.
 79- Click “Add System”.
 80- Configure the integration name and optionally add a description.
 81- Review optional and advanced settings accordingly.
 82- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.
 83- Click “Save and Continue”.
 84- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).
 85"""
 86references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
 87risk_score = 21
 88rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2"
 89severity = "low"
 90tags = [
 91    "Use Case: Identity and Access Audit",
 92    "Use Case: Threat Detection",
 93    "Rule Type: ML",
 94    "Rule Type: Machine Learning",
 95    "Tactic: Credential Access",
 96    "Resources: Investigation Guide",
 97]
 98type = "machine_learning"
 99note = """## Triage and analysis
100
101> **Disclaimer**:
102> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
103
104### Investigating Unusual Login Activity
105The 'Unusual Login Activity' detection leverages machine learning to identify anomalies in authentication patterns, flagging potential brute force attacks. Adversaries exploit credential access by attempting numerous logins to gain unauthorized entry. This rule assesses login frequency and patterns, alerting analysts to deviations indicative of credential abuse, thus enhancing threat detection and identity audit processes.
106
107### Possible investigation steps
108
109- Review the source IP addresses associated with the unusual login attempts to determine if they are known or suspicious.
110- Check the user accounts involved in the alert for any recent changes or unusual activity, such as password resets or privilege escalations.
111- Analyze the timestamps of the login attempts to identify patterns or timeframes that may indicate automated or scripted attacks.
112- Correlate the login attempts with other security events or logs to identify any concurrent suspicious activities, such as failed login attempts or access to sensitive resources.
113- Investigate the geographic locations of the login attempts to see if they align with the user's typical login behavior or if they suggest potential compromise.
114- Assess the risk score and severity of the alert in the context of the organization's security posture and any ongoing threats or incidents.
115
116### False positive analysis
117
118- High login activity from automated scripts or scheduled tasks can trigger false positives. Identify and whitelist these known scripts to prevent unnecessary alerts.
119- Employees using shared accounts may cause an increase in login attempts. Implement user-specific accounts and monitor shared account usage to reduce false positives.
120- Frequent logins from IT personnel conducting routine maintenance can be misinterpreted as unusual activity. Exclude these users or adjust thresholds for specific roles to minimize false alerts.
121- Users with legitimate reasons for high login frequency, such as customer support staff, should be identified and their activity patterns analyzed to adjust detection parameters accordingly.
122- Remote workers using VPNs or accessing systems from multiple locations might trigger alerts. Consider location-based exceptions for known remote access points to avoid false positives.
123
124### Response and remediation
125
126- Immediately isolate the affected user accounts to prevent further unauthorized access and contain the threat.
127- Reset passwords for the compromised accounts and enforce multi-factor authentication (MFA) to enhance security.
128- Conduct a thorough review of recent login activity and access logs to identify any unauthorized access or data exfiltration.
129- Notify the security operations team to monitor for any further suspicious activity and ensure continuous surveillance of the affected systems.
130- Escalate the incident to the incident response team if there is evidence of data compromise or if the attack persists despite initial containment efforts.
131- Implement additional monitoring rules to detect similar brute force attempts in the future, focusing on login frequency and patterns.
132- Review and update access controls and authentication policies to prevent recurrence, ensuring they align with best practices for credential security."""
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135[[rule.threat.technique]]
136id = "T1110"
137name = "Brute Force"
138reference = "https://attack.mitre.org/techniques/T1110/"
139
140
141[rule.threat.tactic]
142id = "TA0006"
143name = "Credential Access"
144reference = "https://attack.mitre.org/tactics/TA0006/"