login_activity_by_source_address.toml

[hunt]
author = "Elastic"
description = """
This hunt identifies unusual logon activity by source IP on Linux systems. It monitors authentication events, focusing on failed logon attempts from specific IP addresses. A high number of failed logon attempts combined with a low number of successful logons and multiple distinct usernames can indicate a potential brute force or credential stuffing attack.
"""
integration = ["endpoint"]
uuid = "95c1467d-d566-4645-b5f1-37a4b0093bb6"
name = "Logon Activity by Source IP"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
    "Monitors authentication events and counts failed and successful logon attempts by source IP address.",
    "A high number of failed logon attempts combined with a low number of successful logons and multiple distinct usernames can indicate a potential brute force or credential stuffing attack.",
    "The thresholds for failed attempts, successful logons, and distinct usernames should be adjusted based on the environment's normal logon patterns."
]
mitre = ["T1110", "T1078"]

query = [
'''
from logs-system.auth-*
| where @timestamp > now() - 7 day
| where host.os.type == "linux" and event.category == "authentication" and event.action in ("ssh_login", "user_login") and
  event.outcome == "failure" and source.ip IS NOT null and not CIDR_MATCH(source.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")
| eval failed = case(event.outcome == "failure", source.ip, null), success = case(event.outcome == "success", source.ip, null)
| stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(user.name) by source.ip
 /* below threshold should be adjusted to your env logon patterns */
| where count_failed >= 100 and count_success <= 10 and count_user >= 20
'''
]