Link Search Menu Expand Document

SSH_Login_Brute_Force

ID: 100469

Description:

An aggregation rule to track login Failed events in SSHD logs.

This rule will trigger when the number of events per one (1) hour exceeds 3600. This indicates that the SSH Server (hostname) may be experiencing brute force attempts. This normally indicates the SSH server is reachable on the network from the outside.

Notes: Corresponding rule SSH Login Accepted tracks successful login

Repository: Group: SSHD Type: event

Default Status:

Enabled

Tags:  
SSH SSHD
   

Selector:

Query:

Filters:

Field MUST hit
@event_type @sshd
@sshd.result failed
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@source asset account login

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
IP @sshd.sip
Country @sshd._ip.country
City @sshd._ip.city
Organization @sshd._ip.org
ISP @sshd._ip.isp
Username @sshd.user
Method @sshd.method
Server @source
Stream @stream

Correlation Rules:

Aggregation:

Name Window Field AggType Match
BruteForce 1 hour   count gt 3600
  Risks: BANDWIDTH_ANOMALY    

History:

User Date
ho*d@fluencysecurity.com 2021 Oct 7 12:16:42 EDT

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)