-
Notifications
You must be signed in to change notification settings - Fork 8k
/
auth_rare_user.json
29 lines (29 loc) · 1.16 KB
/
auth_rare_user.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
{
"description": "Security: Authentication - Looks for an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
"groups": ["security", "authentication"],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects rare user authentication.",
"function": "rare",
"by_field_name": "user.name",
"detector_index": 0
}
],
"influencers": ["source.ip", "user.name", "host.name"]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "128mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-auth",
"security_app_display_name": "Rare User Logon",
"managed": true,
"job_revision": 4
}
}