- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Tactic:
Detect Account Takeover (ATO) attempts on services. ATO attempts include brute force, dictionary, and distributed credential stuffing attacks.
This detection rule is designed to detect distributed credential stuffing campaigns, where an attacker uses many IP addresses to attempt to log into different accounts using stolen password lists. The attacker will often try a single password per account, and may make a few login attempts with each individual IP address.
Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented events: users.login.failure
with usr.id
populated.
Monitor login events and track the number of failed login attempts from a given network range (ASN) with a given user agent. Generate a Medium
severity signal when the rate of login failures deviate from historical trends. Datadog requires a number of users to be logged in and associated with multiple IP addresses to be attempting logins. This helps deduplicate any non-distributed signals (such as brute force and credential stuffing) that may appear.
If we detect login successes from the same network range and user agent, the signal severity is raised to High
.
The monitored login attempts exclude local IPs, common ISPs, programmatic ranges, unless the IP address has been identified for malicious activity in the past. This helps reduce false positives.