User Login Baseline ESA Rule

This rule detects user accounts suspected of misuse due to credential compromise or a malicious insider. The user account is suspicious due to unusual login activity within the organization. Login activity by user is stored and a score is calculated. When that score is higher than a configurable threshold and the number of unique devices being logged into is unusual, then an alert is generated. The rule is supported on RSA NetWitness Platform versions 11.1 and later, since it uses the Context Hub lists feature for ESA within that release.

What is considered a logon event?

Each log parser supported within RSA Live has event categorization tags added for each log message with logon activity, so a normalized query may be created across sources. The rule may be limited to the device classes of interest. By default, all device classes are captured by the rule and may be customized for the customer environment.

The meta keys and values used within the rule for successful and failed logons are as follows:


ec_activity = 'Logon' AND ec_outcome = 'Success'


ec_activity = 'Logon' AND ec_outcome = 'Failure'

How is the baseline calculated?

The number of successful and failed logons are stored per user in separate profiles. The baseline is defined as the number of days to store user activity in order to compare against the current day’s user logon activity. It’s recommended to store at least one week of logon activity for users, but this is configurable within the rule’s parameters.

Once the number of baseline days has been reached for a user, a score is calculated for each incoming login event of that user. The score is calculated as the current day’s cumulative login count minus the user’s login average, and then divided by the user’s standard deviation. The number of successful and failed logins are separately calculated and alerted.

Score = (LastCount – Average) / Standard Deviation

This score is then normalized on a scale from 0 to 100 to make it easier to configure the triggering score within the rule.

How can I tune the Rule?

After the rule has been downloaded into the ESA Rules library, you can open the rule and review the Parameters list.


Parameters List:

  • Blacklist of device class. By default, each device class supported by RSA that outputs the normalized meta and values for login success and failure are listed.
  • Maximum average for user login activity. By default, this is 150 user logins over the length of the baseline. This setting eliminates matches to automated processes or bots performing logins.
  • Maximum login count. By default, this is 300 user logins over the last 24 hours. This setting eliminates matches to automated processes or bots performing logins.
  • Minimum average for user login activity. By default, this is an average of 3 user logins over the length of the baseline. This setting should help eliminate false positives due to a low user login history.
  • Name of the CH list for user whitelist. By default, the CH list is named User_Whitelist. You have to add users to the default User_Whitelist CH list or replace the default CH list with the name of a custom CH user whitelist. For a list of out of the box CH lists and how to create and update them, refer to Context Hub Lists in ESA Rules.
  • Number of days to baseline user login activity. By default, the rule will store user login activity for 7 days.

What information is within the alert?

An alert is generated per user with the alert name of User Login Baseline. The number of alerts allowed per user depends on the value you have configured within the rule parameters for Time in minutes to suppress alerts. By default, you should only receive at most one alert per user per day.


Drilling down into the Event Details, you can see within the Raw Alert which login activity generated the alert—either success or failed logins—by looking at the detail attribute. The Raw Alert will also have populated information for ‘score’, ‘lastcount’, ‘totallogins’, ‘stddev’, ‘average’, and ‘devicecount’.


You can directly add to the User_Whitelist Context Hub list (or a custom one you’ve configured for the rule) by right-clicking on the Username within the Event Details.


Select Add/Remove from List.


For more details, see Context Hub Lists in ESA Rules.

How can I see overall activity for a particular user?

If you have the Incident Rule for User Behavior enabled, all activity for a user—including history for the User Login Baseline rule—can be viewed within the Respond Incident workflow.