Many Logins OK from the same IP

Goal

Detects large spikes of successful user logins from a particular source IP address. This could indicate a potential threat actor that has compromised several accounts and is accessing them.

Description

This model follows the same implementation as “Brute force login detection” adapted to fulfill the needs of the use case.

Characteristics

Name

Many Logins OK from the same IP

Data involved

VPN events. Currently it is working on SonicWall devices.

Alert Generation

This produces medium severity alerts.

Raw outputs of the model

A boolean value that indicates if we have to produce the alert.

PreviousBrute force Login Detection NextAWS CloudTrail rare Method for a City

Last updated 2 months ago