Unusual Login Activity
Identifies an unusually high number of authentication attempts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/03/25"
3integration = ["auditd_manager", "endpoint", "system"]
4maturity = "production"
5updated_date = "2023/07/27"
6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
7min_stack_version = "8.3.0"
8
9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = "Identifies an unusually high number of authentication attempts."
13false_positives = [
14 """
15 Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured
16 applications or account lockouts could trigger this alert.
17 """,
18]
19from = "now-45m"
20interval = "15m"
21license = "Elastic License v2"
22machine_learning_job_id = "suspicious_login_activity"
23name = "Unusual Login Activity"
24references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
25risk_score = 21
26rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2"
27severity = "low"
28tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"]
29type = "machine_learning"
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1110"
35name = "Brute Force"
36reference = "https://attack.mitre.org/techniques/T1110/"
37
38
39[rule.threat.tactic]
40id = "TA0006"
41name = "Credential Access"
42reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Prebuilt job referenceedit These anomaly detection jobs automatically detect file system and network anomalies on your hosts. They appear in the Anomaly Detection interface of the Elastic Security ...
Read More
Related rules
- Spike in Failed Logon Events
- Spike in Logon Events
- Spike in Successful Logon Events from a Source IP
- Rare User Logon
- Unusual Hour for a User to Logon