Unusual Login Activity

Identifies an unusually high number of authentication attempts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["auditd_manager", "endpoint", "system"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 50
 9author = ["Elastic"]
10description = "Identifies an unusually high number of authentication attempts."
11false_positives = [
12    """
13    Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured
14    applications or account lockouts could trigger this alert.
15    """,
16]
17from = "now-45m"
18interval = "15m"
19license = "Elastic License v2"
20machine_learning_job_id = "suspicious_login_activity"
21name = "Unusual Login Activity"
22references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
23risk_score = 21
24rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2"
25severity = "low"
26tags = [
27    "Use Case: Identity and Access Audit",
28    "Use Case: Threat Detection",
29    "Rule Type: ML",
30    "Rule Type: Machine Learning",
31    "Tactic: Credential Access",
32]
33type = "machine_learning"
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1110"
38name = "Brute Force"
39reference = "https://attack.mitre.org/techniques/T1110/"
40
41
42[rule.threat.tactic]
43id = "TA0006"
44name = "Credential Access"
45reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top