---
title: Excessive account creations from an IP
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Excessive account creations from an IP
---

# Excessive account creations from an IP
Tactic:[TA0042-resource_development](https://attack.mitre.org/tactics/TA0042)Technique:[T1585-establish-accounts](https://attack.mitre.org/techniques/T1585) 
### Goal{% #goal %}

Detect excessive account creations from an IP.

This may be caused by a malicious actor trying to create bots on your platform or abuse discounts to new users.

### Required business logic events{% #required-business-logic-events %}

Datadog auto-instruments many event types. [Review](https://app.datadoghq.com/security/appsec/business-logic) your instrumented business logic events. This detection requires the following instrumented event:

- `users.signup`

### Strategy{% #strategy %}

Count the number of user signups generated coming from a single IP.

Require the signup to be flagged using [a user event](https://docs.datadoghq.com/security/application_security/threats/add-user-info.md?tab=set_user#adding-user-events-login-success-login-failure-any-business-logic-to-traces).

A `Medium` signal is then generated if more than 10 signups from a single IP over 5 minutes are found.

### Triage and response{% #triage-and-response %}

1. Investigate the IP activity and validate that it is legitimate.
1. Extract the list of created accounts to lock/delete them.
1. Consider blocking the IP if the account creations are malicious.