security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add investigation guides (#2326)

Browse Source
This commit is contained in:
shashank-elastic
2022-09-23 20:18:48 +05:30
committed by GitHub
parent ca0e4ac72a
commit 2f062ecf84
3 changed files with 106 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
+35 -1
View File
@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/09/14"
updated_date = "2022/09/23"
[rule]
author = ["Elastic"]
@@ -17,6 +17,40 @@ index = ["auditbeat-*", "logs-system.auth-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential SSH Brute Force Detected"
note = """## Triage and analysis
### Investigating Potential SSH Brute Force Attack
The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the
same target host indicating brute force login attempts.
#### Possible investigation steps
- Investigate the login failure user name(s).
- Investigate the source IP address of the failed ssh login attempt(s).
- Investigate other alerts associated with the user/host during the past 48 hours.
- Identify the source and the target computer and their roles in the IT environment.
### False positive analysis
- Authentication misconfiguration or obsolete credentials.
- Service account password expired.
- Infrastructure or availability issue.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved hosts to prevent further post-compromise behavior.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
identified.
- Reset passwords for these accounts and other potentially compromised credentials.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
mean time to respond (MTTR).
"""
risk_score = 47
rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb"
severity = "medium"