SSH_Login_Accepted
ID: 100030
Description:
A behavior rule to track occurrences of SSH successful login, by username, as timeline events.
This rule indicates the (first/new) occurrence of SSH login attempts on a particular machine, for User/ISP/Country. This rule also tracks the first time a particular authentication method is used.
Notes: Corresponding rules SSH Login Failed/Brute Force tracks failed login
Repository: Fluency Group: SSHD Type: event
Default Status:
Enabled
Tags: |
---|
Selector:
Query:
Filters:
Field | MUST hit |
---|---|
@event_type | @sshd |
@sshd.result | accepted |
Field | MUST NOT hit |
---|---|
Behavior Rule:
Key | Type | Behavior Category |
---|---|---|
@sshd.user | username | account login |
Risks:
Risks | Base Score | Dimension |
---|---|---|
Timeline | 0 | - |
Attributes:
Alias | Key |
---|---|
IP | @sshd.sip |
Country | @sshd._ip.country |
City | @sshd._ip.city |
Organization | @sshd._ip.org |
ISP | @sshd._ip.isp |
Username | @sshd.user |
Method | @sshd.method |
Stream | @stream |
Server | @source |
Correlation Rules:
First Occurrence:
Name | Window | Fields |
---|---|---|
NewUser | 20 days | @sshd.user |
Risks: | ML_NEW_USER | |
NewServer | 20 days | @source |
Risks: | ML_NEW_ASSET | |
NewMethod | 20 days | @sshd.method |
Risks: | ML_NEW_APP | |
NewISP | 20 days | @sshd._ip.isp |
Risks: | SUSPICIOUS_GEO | |
NewCountry | 30 days | @sshd._ip.country |
Risks: | ML_NEW_GEO_COUNTRY |
History:
User | Date |
---|---|
ho*d@fluencysecurity.com | 2021 Oct 12 23:36:52 EDT |
ho*d@fluencysecurity.com | 2021 Oct 12 23:37:42 EDT |
ho*d@fluencysecurity.com | 2021 Oct 12 23:42:42 EDT |
ho*d@fluencysecurity.com | 2021 Oct 13 09:50:44 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)