security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
64caa8aedc7500d5c94de356a0d2da233a6c1070
blue-team-tools/rules/linux/lnx_susp_failed_logons_single_source.yml
T
Florian Roth b1446f9b87 Removed 'last' keyword from 'timeframe' fields
2017-02-28 17:52:40 +01:00

19 lines
536 B
YAML
Raw Blame History

title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
logsource:
product: linux
service: syslog
detection:
selection:
log: auth
pam_user: not null
pam_rhost: not null
timeframe: 24h
condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
- Terminal servers
- Jump servers
- Workstations with frequently changing users
level: medium
Reference in New Issue View Git Blame Copy Permalink