Spike in Failed Logon Eventsedit
A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.
Rule type: machine_learning
Machine learning job: auth_high_count_logon_fails
Machine learning anomaly threshold: 75
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Authentication
- Threat Detection
- ML
Version: 1
Added (Elastic Stack release): 7.14.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positivesedit
A misconfigured service account can trigger this alert. A password change on ana account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert.