/
initial_access_ml_auth_rare_source_ip_for_a_user.toml
46 lines (42 loc) · 1.47 KB
/
initial_access_ml_auth_rare_source_ip_for_a_user.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[metadata]
creation_date = "2021/06/10"
integration = ["auditd_manager", "endpoint", "system"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
anomaly_threshold = 75
author = ["Elastic"]
description = """
A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to
credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual
source IP address for a username could also be due to lateral movement when a compromised account is used to pivot
between hosts.
"""
false_positives = ["Business travelers who roam to new locations may trigger this alert."]
from = "now-30m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "auth_rare_source_ip_for_a_user"
name = "Unusual Source IP for a User to Logon from"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b"
severity = "low"
tags = [
"Use Case: Identity and Access Audit",
"Use Case: Threat Detection",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Tactic: Initial Access",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"