build servers and ci systems can sometimes trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.

t1078
t1110
ml
elastic

Techniques

T1078
T1110

Sample rules

Spike in Logon Events

source: elastic
technicques:
- T1110

Description

A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.

Detection logic

Spike in Successful Logon Events from a Source IP

source: elastic
technicques:
- T1078
- T1110

Description

A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.