Excessive account creations from an IP

Tactic:

TA0042-resource_development

Technique:

T1585-establish-accounts

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect excessive account creations from an IP.

This may be caused by a malicious actor trying to create bots on your platform or abuse discounts to new users.

Required business logic events

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented event:

  • users.signup

Strategy

Count the number of user signups generated coming from a single IP.

Require the signup to be flagged using a user event.

A Medium signal is then generated if more than 10 signups from a single IP over 5 minutes are found.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. Extract the list of created accounts to lock/delete them.
  3. Consider blocking the IP if the account creations are malicious.