Rate limited activity from IP

Goal

Detect excessive activity performed from an IP.

This may be caused by a malicious actor trying to cause issues in your platform, create spam content, or similar.

You can read more about the purpose of rate limiting there.

Strategy

Count the number of a given activity generated coming from a single IP.

Require the activity to be flagged using a user event named activity.sensitive. User authentication isn’t necessary.

However, it is very important that the event be given a name in the metadata.

The rule will count the number of events sharing the same names. This enables you to rate limit multiple activities separately without one counting for another (60 activity named A + 60 activity named B won’t trigger the rate limit). The rule won’t run if no name is provided.

A Medium signal is generated if more than 100 events from a single IP over 5 minutes are found. The threshold can be modified either globally, or for a single activity by cloning the rule.
If you want to change the threshold for a single event, clone this signal and add @appsec.events.activity.sensitive.name:YOUR_ACTIVITY_NAME in the query.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. Consider blocking the IP if the activity are malicious.
  3. Consider introducing your own rate limiting features.