Elastic Security Detection Rules

Rare User Logon

Last updated a year ago on 2024-06-18
Created 4 years ago on 2021-06-10

About

A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.
Tags
Use Case: Identity and Access AuditUse Case: Threat DetectionRule Type: MLRule Type: Machine LearningTactic: Initial Access
Severity
low
Risk Score
21
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Valid Accounts (T1078)(opens in a new tab or window)

False Positive Examples
User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Machine Learning
Integration Pack
Prebuilt Security Detection Rules
Related Integrations

auditd_manager(opens in a new tab or window)

endpoint(opens in a new tab or window)

system(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Rare User Logon in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).