detecting-anomalous-authentication-patterns

# Detecting Anomalous Authentication Patterns ## When to Use - Security operations needs to identify compromised accounts from authentication log analysis - Implementing impossible travel detection to flag geographically inconsistent logins - Detecting brute force, password spraying, and credential stuffing attacks in real time - Building behavioral baselines for users to identify deviations indicating account compromise - Correlating authentication anomalies with threat intelligence for lateral movement detection - Investigating alerts from SIEM or IdP for suspicious sign-in activity **Do not use** for static rule-based alerting on single failed logins; anomaly detection requires statistical baselines across time and entity dimensions to reduce false positives. ## Prerequisites - Authentication log sources (Azure AD/Entra ID sign-in logs, Okta system logs, Active Directory event logs 4624/4625/4648/4768/4771) - SIEM platform (Splunk, Microsoft Sentinel, Elastic SIEM) with at least 90 days of baseline data - GeoIP database for location-based anomaly detection (MaxMind GeoLite2 or IP2Location) - Python 3.9+ with pandas, scikit-learn, and scipy for custom analytics - User identity context (department, role, typical work hours, location) ## Workflow ### Step 1: Collect and Normalize Authentication Logs Aggregate authentication events from all identity sources: ```python import pandas as pd import json from datetime import datetime, timedelta from collections import defa...