name: AN-DET-03 Ground operator credential anomaly
details: |
  Detects anomalous authentication patterns on ground-station ACA (SVC:CP:Control Plane:09):
  impossible travel, off-hours sign-ins, new-geolocation patterns, anomalous user-agent or device
  fingerprint. Watches the operator credentials data store (AST:DA:Data:01) for indicators of
  credential compromise. Implements AN-DET:03.
author: ethicallyHackingSpace
severity: high
type: query
class: anomaly
status: stable
date: 2026-06-07
mitre-attack:
  - T1078
references:
  - https://attack.mitre.org/techniques/T1078/
tags:
  - meteorstorm.an-det.03
  - meteorstorm.tdm.svc-cp-control-plane-09
  - meteorstorm.tdm.ast-da-data-01
  - attack.credential-access
logsource:
  product: identity
  category: authentication
detection:
  selection_aca_target:
    target_application|contains: "ground.aca"
  selection_impossible_travel:
    distinct_geos_per_hour: ">=2"
  selection_off_hours:
    hour_of_day|not_in:
      - 8
      - 9
      - 10
      - 11
      - 12
      - 13
      - 14
      - 15
      - 16
      - 17
  selection_new_device:
    device_fingerprint|not_in_baseline: true
  condition: selection_aca_target and (selection_impossible_travel or (selection_off_hours and selection_new_device))
falsepositives:
  - Pre-arranged after-hours shift coverage
  - Mobile device re-enrolled within the past 24h
