Techniques
Sample rules
Unusual Source IP for a User to Logon from
- source: elastic
- technicques:
- T1078
Description
A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.
Detection logic