Unusual Login Activity | SIEM Guide [7.8]

The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

› › ›

« Unusual Linux Web Activity Unusual Network Connection via RunDLL32 »

Unusual Login Activityedit

Identifies an unusually high number of authentication attempts.

Rule type: machine_learning

Machine learning job: suspicious_login_activity_ecs

Machine learning anomaly threshold: 50

Severity: low

Risk score: 21

Runs every: 15 minutes

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html

Tags:

Elastic
Linux
ML

Version: 1

Added (Elastic Stack release): 7.7.0

Potential false positivesedit

Security audits may trigger this signal. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this signal.

« Unusual Linux Web Activity Unusual Network Connection via RunDLL32 »