Many logins OK from same IP

Goal

Looks for an unusually large spike in successful authentication events from a particular source IP address.

Description

Looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.

Characteristics

Name

Many logins OK from same IP

Type

Network

Data source

Authentication

Required fields

sourceAddress

event_id (or equivalent)

PreviousUnusual amount of outbound traffic (Data leak)NextExcessive Failed Logins for a Single User

Last updated 3 months ago