Potential Account Takeover - Logon from New Source IP

 1[metadata]
 2creation_date = "2026/02/25"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2026/03/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different
11source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover
12or use of stolen credentials from a new location.
13"""
14from = "now-15m"
15interval = "14m"
16language = "esql"
17license = "Elastic License v2"
18name = "Potential Account Takeover - Logon from New Source IP"
19note = """## Triage and analysis
20
21### Investigating Potential Account Takeover - Logon from New Source IP
22
23An account that historically logs in many times from a single source IP (e.g. usual workstation or VPN) and then shows successful logons from exactly one other IP with a low count may indicate credential compromise and use from a new location (account takeover).
24
25### Possible investigation steps
26
27- Confirm with the account owner whether they recently logged in from the new source IP or from a new device/location.
28- Check the new source IP for reputation, geography, and whether it is expected (e.g. corporate VPN range vs unknown).
29- Correlate with other alerts for the same user or source IP (e.g. logon failures, password changes, MFA changes).
30- Review timeline: if the "new" IP logon is very recent compared to the high-count IP, treat as higher priority.
31
32### False positive analysis
33
34- Legitimate use from a second device (e.g. new laptop, second office, VPN from travel) can produce exactly two IPs with one IP having few logons. Tune threshold (e.g. max_logon >= 100) or add exclusions for known VPN/remote ranges if needed.
35- Service or shared accounts that are used from multiple jump hosts or scripts may show two IPs; consider excluding known service accounts.
36
37### Response and remediation
38
39- If takeover is confirmed: force password reset, revoke sessions, and enable or enforce MFA. Disable or lock the account until the user verifies identity.
40- Investigate how credentials may have been compromised (phishing, breach, endpoint) and address the vector.
41"""
42references = ["https://attack.mitre.org/techniques/T1078/"]
43risk_score = 47
44rule_id = "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d"
45severity = "medium"
46tags = [
47    "Domain: Endpoint",
48    "OS: Windows",
49    "Use Case: Threat Detection",
50    "Tactic: Privilege Escalation",
51    "Data Source: Windows Security Event Logs",
52    "Resources: Investigation Guide",
53]
54timestamp_override = "event.ingested"
55type = "esql"
56
57query = '''
58from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
59| where event.category == "authentication" and event.action == "logged-in" and winlog.event_id == "4624" and 
60        event.outcome == "success" and winlog.logon.type in ("Network", "RemoteInteractive") and 
61		source.ip is not null and source.ip != "127.0.0.1" and not to_string(source.ip) like "*::*" and not user.name like "*$"
62| stats logon_count = COUNT(*), host_names = VALUES(host.name) by user.name, user.id, source.ip
63| stats 
64    Esql.max_logon = MAX(logon_count),
65    Esql.min_logon = MIN(logon_count),
66    Esql.unique_host_count = COUNT_DISTINCT(host_names),
67    Esql.host_name_values = VALUES(host_names),
68    Esql.source_ip_values = VALUES(source.ip),
69    Esql.count_distinct_source_ip = COUNT_DISTINCT(source.ip) by user.name, user.id
70
71// high count of logons is often associated with service account tied to a specific source.ip, if observed in use from a new source.ip it's suspicious
72| where Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 5) and Esql.count_distinct_source_ip == 2 and Esql.unique_host_count >= 2
73| eval source.ip = MV_FIRST(Esql.source_ip_values), host.name = MV_FIRST(Esql.host_name_values)
74| KEEP user.name, user.id, host.name, source.ip, Esql.*
75'''
76
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1078"
81name = "Valid Accounts"
82reference = "https://attack.mitre.org/techniques/T1078/"
83
84
85[rule.threat.tactic]
86id = "TA0004"
87name = "Privilege Escalation"
88reference = "https://attack.mitre.org/tactics/TA0004/"