Potential Account Takeover - Logon from New Source IP

 1[metadata]
 2creation_date = "2026/02/25"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2026/05/04"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different
11source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover
12or use of stolen credentials from a new location.
13"""
14from = "now-15m"
15interval = "14m"
16language = "esql"
17license = "Elastic License v2"
18name = "Potential Account Takeover - Logon from New Source IP"
19note = """## Triage and analysis
20
21### Investigating Potential Account Takeover - Logon from New Source IP
22
23An account that historically logs in many times from a single source IP (e.g. usual workstation or VPN) and then shows successful logons from exactly one other IP with a low count may indicate credential compromise and use from a new location (account takeover).
24
25### Possible investigation steps
26
27- Confirm with the account owner whether they recently logged in from the new source IP or from a new device/location.
28- Check the new source IP for reputation, geography, and whether it is expected (e.g. corporate VPN range vs unknown).
29- Correlate with other alerts for the same user or source IP (e.g. logon failures, password changes, MFA changes).
30- Review timeline: if the "new" IP logon is very recent compared to the high-count IP, treat as higher priority.
31
32### False positive analysis
33
34- Legitimate use from a second device (e.g. new laptop, second office, VPN from travel) can produce exactly two IPs with one IP having few logons. Tune threshold (e.g. max_logon >= 100) or add exclusions for known VPN/remote ranges if needed.
35- Service or shared accounts that are used from multiple jump hosts or scripts may show two IPs; consider excluding known service accounts.
36
37### Response and remediation
38
39- If takeover is confirmed: force password reset, revoke sessions, and enable or enforce MFA. Disable or lock the account until the user verifies identity.
40- Investigate how credentials may have been compromised (phishing, breach, endpoint) and address the vector.
41"""
42
43setup = """## Setup
44
45Audit Logon must be enabled to generate the events used by this rule.
46Setup instructions: https://ela.st/audit-logon
47"""
48
49references = ["https://attack.mitre.org/techniques/T1078/"]
50risk_score = 47
51rule_id = "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d"
52severity = "medium"
53tags = [
54    "Domain: Endpoint",
55    "OS: Windows",
56    "Use Case: Threat Detection",
57    "Tactic: Privilege Escalation",
58    "Data Source: Windows Security Event Logs",
59    "Resources: Investigation Guide",
60]
61timestamp_override = "event.ingested"
62type = "esql"
63
64query = '''
65from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
66| where event.category == "authentication" and event.action == "logged-in" and winlog.event_id == "4624" and 
67        event.outcome == "success" and winlog.logon.type in ("Network", "RemoteInteractive") and 
68		source.ip is not null and source.ip != "127.0.0.1" and not to_string(source.ip) like "*::*" and not user.name like "*$"
69| stats logon_count = COUNT(*), host_names = VALUES(host.name) by user.name, user.id, source.ip
70| stats 
71    Esql.max_logon = MAX(logon_count),
72    Esql.min_logon = MIN(logon_count),
73    Esql.unique_host_count = COUNT_DISTINCT(host_names),
74    Esql.host_name_values = VALUES(host_names),
75    Esql.source_ip_values = VALUES(source.ip),
76    Esql.count_distinct_source_ip = COUNT_DISTINCT(source.ip) by user.name, user.id
77
78// high count of logons is often associated with service account tied to a specific source.ip, if observed in use from a new source.ip it's suspicious
79| where Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 5) and Esql.count_distinct_source_ip == 2 and Esql.unique_host_count >= 2
80| eval source.ip = MV_FIRST(Esql.source_ip_values), host.name = MV_FIRST(Esql.host_name_values)
81| KEEP user.name, user.id, host.name, source.ip, Esql.*
82'''
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1078"
88name = "Valid Accounts"
89reference = "https://attack.mitre.org/techniques/T1078/"
90
91
92[rule.threat.tactic]
93id = "TA0004"
94name = "Privilege Escalation"
95reference = "https://attack.mitre.org/tactics/TA0004/"