Elastic Security Detection Rules

Unusual Hour for a User to Logon

Last updated a year ago on 2024-06-18
Created 4 years ago on 2021-06-10

About

A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.
Tags
Use Case: Identity and Access AuditUse Case: Threat DetectionRule Type: MLRule Type: Machine LearningTactic: Initial Access
Severity
low
Risk Score
21
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Valid Accounts (T1078)(opens in a new tab or window)

False Positive Examples
Users working late, or logging in from unusual time zones while traveling, may trigger this rule.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Machine Learning
Integration Pack
Prebuilt Security Detection Rules
Related Integrations

auditd_manager(opens in a new tab or window)

endpoint(opens in a new tab or window)

system(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Hour for a User to Logon in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).