SSH_Root_Login_Accepted_External
ID: 100482
Description:
A behavior rule to track occurrences of SSH successful login, by hostname from external (public) IP addresses
This rule also indicates the (first/new) occurrence of SSH login attempts on a particular machine, for the root user from ISP/Country. This rule also tracks the first time a particular hostname or authentication method is used.
Notes:
- @sshd.sip is not in HOME_NET entity list
- Corresponding rule SSH_Root_Login_Accepted_Internal to track internal root SSH login
Repository: Group: SSHD Type: event
Default Status:
Enabled
| Tags: |
|---|
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @event_type | @sshd |
| @sshd.result | accepted |
| @sshd.user | root |
| Field | MUST NOT hit |
|---|---|
| @sshd.sip | entity: [ HOME_NET ] |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @source | asset | account login |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_END_POINT | 800 | alert |
| ALERT_NORMAL | 100 | alert |
Attributes:
| Alias | Key |
|---|---|
| IP | @sshd.sip |
| Country | @sshd._ip.country |
| City | @sshd._ip.city |
| Organization | @sshd._ip.org |
| ISP | @sshd._ip.isp |
| Username | @sshd.user |
| Method | @sshd.method |
| Stream | @stream |
| Server | @source |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewServer | 20 days | @source |
| Risks: | ML_NEW_ASSET | |
| NewMethod | 20 days | @sshd.method |
| Risks: | ML_NEW_APP | |
| NewISP | 20 days | @sshd._ip.isp |
| Risks: | SUSPICIOUS_GEO | |
| NewCountry | 30 days | @sshd._ip.country |
| Risks: | ML_NEW_GEO_COUNTRY |
History:
| User | Date |
|---|---|
| ho*d@fluencysecurity.com | 2021 Nov 29 11:41:48 EST |
| ho*d@fluencysecurity.com | 2021 Nov 29 11:46:39 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)