A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.
Rule type: machine_learning
Machine learning job: auth_high_count_logon_events
Machine learning anomaly threshold: 75
Risk score: 21
Runs every: 15 minutes
Maximum alerts per execution: 100
- Threat Detection
Added (Elastic Stack release): 7.14.0
Rule authors: Elastic
Rule license: Elastic License v2
Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert.