security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential OpenSSH Backdoor Logging Activity (#4429)

Browse Source
This commit is contained in:
Ruben Groenewoud
2025-01-31 15:33:21 +01:00
committed by GitHub
parent 18dd9cb04a
commit b642c55680
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_ssh_backdoor_log.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
min_stack_version = "8.13.0"
updated_date = "2025/01/24"
updated_date = "2025/01/29"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ enable unauthorized access or to log SSH credentials for exfiltration.
"""
false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "logs-endpoint.events.file-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential OpenSSH Backdoor Logging Activity"