GitHub Repo

Analytics Story: Compromised User Account

Updated Date: 2026-05-13 ID: 19669154-e9d1-4a01-b144-e6592a078092 Author: Mauricio Velazco, Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Compromised User Account attacks.

Why it matters

Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Password Spray Attempts Password Spraying TTP
O365 SharePoint Suspicious Search Behavior Sharepoint, Unsecured Credentials Anomaly
AWS Password Policy Changes Password Policy Discovery Hunting
Detect AWS Console Login by User from New Country Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
Detect AWS Console Login by User from New City Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
Azure AD Service Principal Enumeration Cloud Account, Cloud Service Discovery TTP
PingID Mismatch Auth Source and Verification Response Device Registration, Multi-Factor Authentication, Multi-Factor Authentication Request Generation TTP
PingID Multiple Failed MFA Requests For User Valid Accounts, Brute Force, Multi-Factor Authentication Request Generation TTP
Windows Remote Desktop Network Bruteforce Attempt Password Guessing Anomaly
AWS Multiple Users Failing To Authenticate From Ip Password Spraying, Credential Stuffing Anomaly
AWS Successful Console Authentication From Multiple IPs Unused/Unsupported Cloud Regions, Compromise Accounts Anomaly
Detect Distributed Password Spray Attempts Password Spraying Hunting
AWS Console Login Failed During MFA Challenge Cloud Accounts, Multi-Factor Authentication Request Generation TTP
PingID New MFA Method After Credential Reset Device Registration, Multi-Factor Authentication, Multi-Factor Authentication Request Generation TTP
Detect Password Spray Attack Behavior On User Password Spraying TTP
PingID New MFA Method Registered For User Device Registration, Multi-Factor Authentication, Multi-Factor Authentication Request Generation TTP
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Detect Password Spray Attack Behavior From Source Password Spraying TTP
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
O365 Email Suspicious Search Behavior Remote Email Collection, Unsecured Credentials Anomaly
Azure AD AzureHound UserAgent Detected Cloud Account, Cloud Service Discovery TTP
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Azure AD New MFA Method Registered For User Multi-Factor Authentication TTP
AWS High Number Of Failed Authentications For User Password Policy Discovery Anomaly
Detect AWS Console Login by User from New Region Unused/Unsupported Cloud Regions, Cloud Accounts Hunting
Azure AD Successful Authentication From Different Ips Password Guessing, Password Spraying TTP
Azure AD High Number Of Failed Authentications For User Password Guessing TTP
Azure AD High Number Of Failed Authentications From Ip Password Guessing, Password Spraying TTP
AWS High Number Of Failed Authentications From Ip Password Spraying, Credential Stuffing Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Windows Event Log Security 4625 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Office 365 Universal Audit Log Other o365:management:activity o365
AWS CloudTrail DeleteAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail GetAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail UpdateAccountPasswordPolicy AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
Azure Active Directory MicrosoftGraphActivityLogs Azure icon Azure azure:monitor:aad Azure AD
PingID Other XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Secure Access Firewall Other cisco:cloud_security:firewall cisco_secure_access:firewall
AWS CloudTrail ConsoleLogin AWS icon AWS aws:cloudtrail aws_cloudtrail
Azure Active Directory Sign-in activity Azure icon Azure azure:monitor:aad Azure AD
Windows Event Log Security 4624 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
AWS CloudTrail DescribeEventAggregates AWS icon AWS aws:cloudtrail aws_cloudtrail
ASL AWS CloudTrail AWS icon AWS aws:asl aws_asl
Azure Active Directory NonInteractiveUserSignInLogs Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory User registered security info Azure icon Azure azure:monitor:aad Azure AD

References

Source: GitHub | Version: 2