security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e7d62f8fbece0397462a24e2efcd281dfbf3c3bc
blue-team-tools/linux/susp_failed_logons_single_source.yml
T
Thomas Patzke 97511f7c1e Replicated 'susp_failed_logons_single_source' to Linux.
2017-01-11 20:47:28 +01:00

15 lines
493 B
YAML
Raw Blame History

title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
detection:
selection:
- log: auth
pam_user: not null
pam_rhost: not null
timeframe: last 24h
condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
- Terminal servers
- Jump servers
- Workstations with frequently changing users
level: 40
Reference in New Issue View Git Blame Copy Permalink