Unusual account creations from an IP

Tactic:

TA0042-resource_development

Goal

Detect excessive account creations from an IP.

This may be caused by a malicious actor trying to create bots on your platform or abuse discounts to new users.

Required business logic events

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented event:

  • users.signup

Strategy

Count the number of user signups generated coming from a single IP.

Require the signup to be flagged using a user event.

The rule determines the standard rate for IPs to create new users.
If an IP is seen significantly exceeding the normal rate, a Medium signal will be generated.

Note

This rule is using a new feature of ASM that isn’t yet available in custom detection rules.
This will prevent you from cloning this rule and having it work the same way as the Datadog version.
We’re working toward solving this limitation.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. Extract the list of created account to lock/delete them.
  3. Consider blocking the IP if the account creations are malicious.