Logon Spike Detection
Goal
Looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.
Description
This is a simple statistical model. Making it very efficient and scalable to multiple customers and producing very fast predictions.
Characteristics
Data involved
We will focus exclusively on “interactive” Active Directory logon event types. Logons for resource access or similar activities are excluded from this scenario. Additionally, this approach is compatible with data from other login platforms.
Alert Generation
An alert is produced when a spike is detected in logon activity.
Raw outputs of the model
The outputs are:
The time frame of the prediction
A boolean value to indicate the alert
The amount of logons in that time frame
Last updated