security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
64caa8aedc7500d5c94de356a0d2da233a6c1070
blue-team-tools/rules/linux/lnx_susp_failed_logons_single_source.yml
T

19 lines
536 B
YAML
Raw Normal View History

Replicated 'susp_failed_logons_single_source' to Linux.
2017-01-11 00:26:22 +01:00
title: Multiple Failed Logins with Different Accounts from Single Source System
Levels to low, medium, high, critical
2017-02-16 18:02:26 +01:00
description: Detects suspicious failed logins with different user accounts from a single source system
logsource:
product: linux
service: syslog
Replicated 'susp_failed_logons_single_source' to Linux.
2017-01-11 00:26:22 +01:00
detection:
selection:
Rule review and cleanup
2017-02-15 23:53:08 +01:00
log: auth
pam_user: not null
pam_rhost: not null
Removed 'last' keyword from 'timeframe' fields
2017-02-28 17:52:40 +01:00
timeframe: 24h
Replicated 'susp_failed_logons_single_source' to Linux.
2017-01-11 00:26:22 +01:00
condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
- Terminal servers
- Jump servers
- Workstations with frequently changing users
Levels to low, medium, high, critical
2017-02-16 18:02:26 +01:00
level: medium
Reference in New Issue Copy Permalink