Unusual Source IP for a User to Logon from

 1[metadata]
 2creation_date = "2021/06/10"
 3integration = ["auditd_manager", "endpoint", "system"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to
14credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual
15source IP address for a username could also be due to lateral movement when a compromised account is used to pivot
16between hosts.
17"""
18false_positives = ["Business travelers who roam to new locations may trigger this alert."]
19from = "now-30m"
20interval = "15m"
21license = "Elastic License v2"
22machine_learning_job_id = "auth_rare_source_ip_for_a_user"
23name = "Unusual Source IP for a User to Logon from"
24references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
25risk_score = 21
26rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b"
27severity = "low"
28tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"]
29type = "machine_learning"
30
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1078"
35name = "Valid Accounts"
36reference = "https://attack.mitre.org/techniques/T1078/"
37
38
39[rule.threat.tactic]
40id = "TA0001"
41name = "Initial Access"
42reference = "https://attack.mitre.org/tactics/TA0001/"