Link Search Menu Expand Document

SSH_Login_Accepted

ID: 100030

Description:

A behavior rule to track occurrences of SSH successful login, by username, as timeline events.

This rule indicates the (first/new) occurrence of SSH login attempts on a particular machine, for User/ISP/Country. This rule also tracks the first time a particular authentication method is used.

Notes: Corresponding rules SSH Login Failed/Brute Force tracks failed login

Repository: Fluency Group: SSHD Type: event

Default Status:

Enabled

Tags:
 

Selector:

Query:

Filters:

Field MUST hit
@event_type @sshd
@sshd.result accepted
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sshd.user username account login

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
IP @sshd.sip
Country @sshd._ip.country
City @sshd._ip.city
Organization @sshd._ip.org
ISP @sshd._ip.isp
Username @sshd.user
Method @sshd.method
Stream @stream
Server @source

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 20 days @sshd.user
  Risks: ML_NEW_USER
NewServer 20 days @source
  Risks: ML_NEW_ASSET
NewMethod 20 days @sshd.method
  Risks: ML_NEW_APP
NewISP 20 days @sshd._ip.isp
  Risks: SUSPICIOUS_GEO
NewCountry 30 days @sshd._ip.country
  Risks: ML_NEW_GEO_COUNTRY

History:

User Date
ho*d@fluencysecurity.com 2021 Oct 12 23:36:52 EDT
ho*d@fluencysecurity.com 2021 Oct 12 23:37:42 EDT
ho*d@fluencysecurity.com 2021 Oct 12 23:42:42 EDT
ho*d@fluencysecurity.com 2021 Oct 13 09:50:44 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)