Excessive account deletion from an IP

Tactic:

TA0040-impact

Goal

Detect excessive account deletions from an IP.

This may be caused by a malicious actor who found an exploit to damage your platform.

Required business logic events

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented event:

  • users.delete

Strategy

Count the number of users that were deleted by an IP.

Require the account deletion to be flagged using a user event with a usr.id metadata field set to the user being deleted.

usr.id must be provided and unique, even if the user didn’t exist.

A Medium signal is then generated if more than 5 accounts are deleted within 5 minutes.

Triage and response

  1. Investigate the user activity and validate that it is legitimate.
  2. Review your account deletion process to ensure users can’t be impersonated.
  3. Consider blocking the IP to slow down the attacker, or disable the account deletion route.