Goal

Detect Account Takeover (ATO) attempts on services. ATO attempts include brute force, dictionary, and distributed credential stuffing attacks.

This detection rule is designed to detect brute force attempts, where an attacker attempts to log in to a single account using different passwords, until it finds the correct one by chance.

Required business logic events

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented events:

• users.login.failure
• users.login.success

Strategy

Monitor login events and track failed logins. Generate a Low severity signal when:

• a threshold of 40 failure logins are exceeded.
• a threshold of 20 failure logins are exceeded and the IPs are known offenders.

Increase signal severity to Critical and identify the compromised account when the IP address has a successful login to this same account.

Triage and response

1. Consider blocking the attacking IP addresses temporarily to slow attacks.
2. Check compromised accounts, suspend account access temporarily, and force password change.
3. Implement and enable Multi-Factor Authentication (MFA) when possible.