Excessive account deletion from an IP

Tactic:

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Detect excessive account deletions from an IP.

This may be caused by a malicious actor who found an exploit to damage your platform.

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented event:

Count the number of users that were deleted by an IP.

Require the account deletion to be flagged using a user event with a usr.id metadata field set to the user being deleted.

usr.id must be provided and unique, even if the user didn’t exist.

A Medium signal is then generated if more than 5 accounts are deleted within 5 minutes.

Investigate the user activity and validate that it is legitimate.
Review your account deletion process to ensure users can’t be impersonated.
Consider blocking the IP to slow down the attacker, or disable the account deletion route.