A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.
Rule type: machine_learning
Machine learning job: auth_high_count_logon_fails
Machine learning anomaly threshold: 75
Risk score: 21
Runs every: 15 minutes
Maximum alerts per execution: 100
- Threat Detection
Version: 2 (version history)
Added (Elastic Stack release): 7.14.0
Last modified (Elastic Stack release): 7.15.0
Rule authors: Elastic
Rule license: Elastic License v2
A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert.
- Version 2 (7.15.0 release)
- Formatting only