GitHub Repo

Analytics Story: Compromised User Account

Updated Date: 2026-05-13 ID: 19669154-e9d1-4a01-b144-e6592a078092 Author: Mauricio Velazco, Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Compromised User Account attacks.

Why it matters

Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
AWS Successful Console Authentication From Multiple IPs Unused/Unsupported Cloud Regions, Compromise Accounts Anomaly
Detect Password Spray Attempts Password Spraying TTP
Detect Distributed Password Spray Attempts Password Spraying Hunting
AWS High Number Of Failed Authentications From Ip Password Spraying, Credential Stuffing Anomaly
O365 SharePoint Suspicious Search Behavior Sharepoint, Unsecured Credentials Anomaly
Detect AWS Console Login by User from New Country Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
AWS Console Login Failed During MFA Challenge Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Detect AWS Console Login by User from New Region Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
O365 Email Suspicious Search Behavior Remote Email Collection, Unsecured Credentials Anomaly
Azure AD Successful Authentication From Different Ips Password Guessing, Password Spraying TTP
AWS Password Policy Changes Password Policy Discovery Hunting
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Azure AD High Number Of Failed Authentications From Ip Password Guessing, Password Spraying TTP
Azure AD New MFA Method Registered For User Multi-Factor Authentication TTP
PingID New MFA Method After Credential Reset Device Registration, Multi-Factor Authentication, Multi-Factor Authentication Request Generation TTP
AWS High Number Of Failed Authentications For User Password Policy Discovery Anomaly
PingID Multiple Failed MFA Requests For User Valid Accounts, Brute Force, Multi-Factor Authentication Request Generation TTP
Azure AD High Number Of Failed Authentications For User Password Guessing TTP
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
Detect Password Spray Attack Behavior From Source Password Spraying TTP
Azure AD AzureHound UserAgent Detected Cloud Account, Cloud Service Discovery TTP
Detect Password Spray Attack Behavior On User Password Spraying TTP
PingID Mismatch Auth Source and Verification Response Device Registration, Multi-Factor Authentication, Multi-Factor Authentication Request Generation TTP
Azure AD Service Principal Enumeration Cloud Account, Cloud Service Discovery TTP
Windows Remote Desktop Network Bruteforce Attempt Password Guessing Anomaly
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
PingID New MFA Method Registered For User Device Registration, Multi-Factor Authentication, Multi-Factor Authentication Request Generation TTP
Detect AWS Console Login by User from New City Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
AWS Multiple Users Failing To Authenticate From Ip Password Spraying, Credential Stuffing Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudTrail ConsoleLogin AWS icon AWS aws:cloudtrail aws_cloudtrail
Windows Event Log Security 4625 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Azure Active Directory Sign-in activity Azure icon Azure azure:monitor:aad Azure AD
Office 365 Universal Audit Log Other o365:management:activity o365
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
Azure Active Directory Azure icon Azure azure:monitor:aad Azure AD
AWS CloudTrail DeleteAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail GetAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail UpdateAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DescribeEventAggregates AWS icon AWS aws:cloudtrail aws_cloudtrail
Azure Active Directory User registered security info Azure icon Azure azure:monitor:aad Azure AD
PingID Other XmlWinEventLog XmlWinEventLog:Security
ASL AWS CloudTrail AWS icon AWS aws:asl aws_asl
Windows Event Log Security 4624 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Azure Active Directory MicrosoftGraphActivityLogs Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory NonInteractiveUserSignInLogs Azure icon Azure azure:monitor:aad Azure AD
Cisco Secure Access Firewall Other cisco:cloud_security:firewall cisco_secure_access:firewall
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 2