name: AN-DET-00 Anomalous console authentication
details: |
  Detects anomalous authentication events against satellite operator console workstations
  (AST:HW:Hardware:04, SVC:CP:Control Plane:13 console-ops). Flags brute-force, password-spray,
  impossible-travel and unknown-source patterns against accounts authorized to operate the satellite
  console. Implements AN-DET:00 from the METEORSTORM AN-DET layer.
author: ethicallyHackingSpace
severity: high
type: query
class: anomaly
status: stable
date: 2026-06-07
mitre-attack:
  - T1110
  - T1078
references:
  - https://attack.mitre.org/techniques/T1110/
  - https://attack.mitre.org/techniques/T1078/
  - https://github.com/MISP/misp-taxonomies/tree/main/meteorstorm
tags:
  - meteorstorm.an-det.00
  - meteorstorm.tdm.ast-hw-hardware-04
  - meteorstorm.tdm.svc-cp-control-plane-13
  - attack.credential-access
  - attack.initial-access
logsource:
  product: identity
  category: authentication
detection:
  selection_console_target:
    target_application|contains:
      - "satellite-console"
      - "sat-console"
      - "console.ops"
  selection_failure_burst:
    event_name|contains: "failed"
    user_account|count: ">=10"
    timeframe: "5m"
  selection_impossible_travel:
    event_name|contains: "success"
    user_account|distinct_geos: ">=2"
    timeframe: "1h"
  selection_unknown_source:
    src_ip|not_in_baseline: true
  condition: selection_console_target and (selection_failure_burst or selection_impossible_travel or selection_unknown_source)
falsepositives:
  - Legitimate operator on travel with prior notification
  - Authorized red-team exercise
