For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-389.md. A documentation index is available at /llms.txt.

Excessive account creations from an IP

Tactic:

TA0042-resource_development

Technique:

T1585-establish-accounts

Goal

Detect excessive account creations from an IP.

This may be caused by a malicious actor trying to create bots on your platform or abuse discounts to new users.

Required business logic events

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented event:

  • users.signup

Strategy

Count the number of user signups generated coming from a single IP.

Require the signup to be flagged using a user event.

A Medium signal is then generated if more than 10 signups from a single IP over 5 minutes are found.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. Extract the list of created accounts to lock/delete them.
  3. Consider blocking the IP if the account creations are malicious.