Potential Account Takeover - Logon from New Source IP

 1[metadata]
 2creation_date = "2026/02/25"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2026/02/25"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different
11source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover
12or use of stolen credentials from a new location.
13"""
14from = "now-30m"
15interval = "15m"
16language = "esql"
17license = "Elastic License v2"
18name = "Potential Account Takeover - Logon from New Source IP"
19note = """## Triage and analysis
20
21### Investigating Potential Account Takeover - Logon from New Source IP
22
23An account that historically logs in many times from a single source IP (e.g. usual workstation or VPN) and then shows successful logons from exactly one other IP with a low count may indicate credential compromise and use from a new location (account takeover).
24
25### Possible investigation steps
26
27- Confirm with the account owner whether they recently logged in from the new source IP or from a new device/location.
28- Check the new source IP for reputation, geography, and whether it is expected (e.g. corporate VPN range vs unknown).
29- Correlate with other alerts for the same user or source IP (e.g. logon failures, password changes, MFA changes).
30- Review timeline: if the "new" IP logon is very recent compared to the high-count IP, treat as higher priority.
31
32### False positive analysis
33
34- Legitimate use from a second device (e.g. new laptop, second office, VPN from travel) can produce exactly two IPs with one IP having few logons. Tune threshold (e.g. max_logon >= 100) or add exclusions for known VPN/remote ranges if needed.
35- Service or shared accounts that are used from multiple jump hosts or scripts may show two IPs; consider excluding known service accounts.
36
37### Response and remediation
38
39- If takeover is confirmed: force password reset, revoke sessions, and enable or enforce MFA. Disable or lock the account until the user verifies identity.
40- Investigate how credentials may have been compromised (phishing, breach, endpoint) and address the vector.
41"""
42references = ["https://attack.mitre.org/techniques/T1078/"]
43risk_score = 47
44rule_id = "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d"
45severity = "medium"
46tags = [
47    "Domain: Endpoint",
48    "OS: Windows",
49    "Use Case: Threat Detection",
50    "Tactic: Privilege Escalation",
51    "Data Source: Windows Security Event Logs",
52    "Resources: Investigation Guide",
53]
54timestamp_override = "event.ingested"
55type = "esql"
56
57query = '''
58from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
59| where event.category == "authentication" and event.action == "logged-in" and winlog.event_id == "4624" and 
60        event.outcome == "success" and winlog.logon.type in ("Network", "RemoteInteractive") and 
61		source.ip is not null and source.ip != "127.0.0.1" and not to_string(source.ip) like "*::*" and not user.name like "*$"
62| stats logon_count = COUNT(*) by user.name, source.ip
63| stats 
64    Esql.max_logon = MAX(logon_count),
65    Esql.min_logon = MIN(logon_count),
66    Esql.source_ip_values = VALUES(source.ip),
67    Esql.count_distinct = COUNT_DISTINCT(source.ip) by user.name
68
69// high count of logons is often associated with service account tied to a specific source.ip, if observed in use from a new source.ip it's suspicious
70| where Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 5) and Esql.count_distinct == 2
71| eval source.ip = mv_first(Esql.source_ip_values)
72| KEEP user.name, source.ip, Esql.*
73'''
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1078"
79name = "Valid Accounts"
80reference = "https://attack.mitre.org/techniques/T1078/"
81
82
83[rule.threat.tactic]
84id = "TA0004"
85name = "Privilege Escalation"
86reference = "https://attack.mitre.org/tactics/TA0004/"