Unusual Source IP for a User to Logon from
A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/06/10"
3maturity = "production"
4updated_date = "2023/03/06"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7
8[rule]
9anomaly_threshold = 75
10author = ["Elastic"]
11description = """
12A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to
13credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual
14source IP address for a username could also be due to lateral movement when a compromised account is used to pivot
15between hosts.
16"""
17false_positives = ["Business travelers who roam to new locations may trigger this alert."]
18from = "now-30m"
19interval = "15m"
20license = "Elastic License v2"
21machine_learning_job_id = "auth_rare_source_ip_for_a_user"
22name = "Unusual Source IP for a User to Logon from"
23references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
24risk_score = 21
25rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b"
26severity = "low"
27tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Initial Access"]
28type = "machine_learning"
29
30[[rule.threat]]
31framework = "MITRE ATT&CK"
32[[rule.threat.technique]]
33id = "T1078"
34name = "Valid Accounts"
35reference = "https://attack.mitre.org/techniques/T1078/"
36
37
38[rule.threat.tactic]
39id = "TA0001"
40name = "Initial Access"
41reference = "https://attack.mitre.org/tactics/TA0001/"