Linux rule to detect potential ssh brute force attack (#2291)

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/linux/credential_access_bruteforce_passowrd_guessing.toml

@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2022/09/14"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/09/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt
+to login into multiple users with a common or known password to gain access to accounts.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-system.auth-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential SSH Password Spraying"
+risk_score = 47
+rule_id = "8cb84371-d053-4f4f-bce0-c74990e28f28"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
+type = "eql"
+query = '''
+sequence by host.id, source.ip, user.name with maxspan=3s
+  [authentication where event.action  in ("ssh_login", "user_login") and
+   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=2
+
+  [authentication where event.action  in ("ssh_login", "user_login") and
+   event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1110"
+name = "Brute Force"
+reference = "https://attack.mitre.org/techniques/T1110/"
+[[rule.threat.technique.subtechnique]]
+id = "T1110.001"
+name = "Password Guessing"
+reference = "https://attack.mitre.org/techniques/T1110/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1110.003"
+name = "Password Spraying"
+reference = "https://attack.mitre.org/techniques/T1110/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/linux/credential_access_potential_linux_ssh_bruteforce.toml

@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2022/09/14"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/09/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies multiple consecutive login failures targeting an user account from the same source address and within a
+short time interval. Adversaries will often brute force login attempts across multiple users with a common or known
+password, in an attempt to gain access to accounts.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-system.auth-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential SSH Brute Force Detected"
+risk_score = 47
+rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
+type = "eql"
+query = '''
+sequence by host.id, source.ip, user.name with maxspan=10s
+  [authentication where event.action  in ("ssh_login", "user_login") and
+   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1110"
+name = "Brute Force"
+reference = "https://attack.mitre.org/techniques/T1110/"
+[[rule.threat.technique.subtechnique]]
+id = "T1110.001"
+name = "Password Guessing"
+reference = "https://attack.mitre.org/techniques/T1110/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1110.003"
+name = "Password Spraying"
+reference = "https://attack.mitre.org/techniques/T1110/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2022/09/14"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/09/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies multiple consecutive login failures targeting a root user account from the same source address and within a
+short time interval. Adversaries will often brute force login attempts on privileged accounts with a common or known
+password, in an attempt to gain privileged access to systems.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-system.auth-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential SSH Brute Force Detected on Privileged Account"
+risk_score = 73
+rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
+type = "eql"
+query = '''
+sequence by host.id, source.ip with maxspan=10s
+  [authentication where event.action  in ("ssh_login", "user_login") and
+   event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and
+   source.ip != "::" and  user.name in ("*root*" , "*admin*")] with runs=3
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1110"
+name = "Brute Force"
+reference = "https://attack.mitre.org/techniques/T1110/"
+[[rule.threat.technique.subtechnique]]
+id = "T1110.001"
+name = "Password Guessing"
+reference = "https://attack.mitre.org/techniques/T1110/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1110.003"
+name = "Password Spraying"
+reference = "https://attack.mitre.org/techniques/T1110/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+