Excessive account deletion from an IP
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect excessive account deletions from an IP.
This may be caused by a malicious actor who found an exploit to damage your platform.
Required business logic events
Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented event:
Strategy
Count the number of users that were deleted by an IP.
Require the account deletion to be flagged using a user event with a usr.id
metadata field set to the user being deleted.
usr.id
must be provided and unique, even if the user didn’t exist.
A Medium
signal is then generated if more than 5 accounts are deleted within 5 minutes.
Triage and response
- Investigate the user activity and validate that it is legitimate.
- Review your account deletion process to ensure users can’t be impersonated.
- Consider blocking the IP to slow down the attacker, or disable the account deletion route.