Ruben Groenewoud
31 lines
1.8 KiB
TOML
31 lines
1.8 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt identifies unusual logon activity by source IP on Linux systems. It monitors authentication events, focusing on failed logon attempts from specific IP addresses. A high number of failed logon attempts combined with a low number of successful logons and multiple distinct usernames can indicate a potential brute force or credential stuffing attack.
|
|
"""
|
|
integration = ["endpoint"]
|
|
uuid = "95c1467d-d566-4645-b5f1-37a4b0093bb6"
|
|
name = "Logon Activity by Source IP"
|
|
language = ["ES|QL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"Monitors authentication events and counts failed and successful logon attempts by source IP address.",
|
|
"A high number of failed logon attempts combined with a low number of successful logons and multiple distinct usernames can indicate a potential brute force or credential stuffing attack.",
|
|
"The thresholds for failed attempts, successful logons, and distinct usernames should be adjusted based on the environment's normal logon patterns."
|
|
]
|
|
mitre = ["T1110", "T1078"]
|
|
query = [
|
|
'''
|
|
from logs-system.auth-*
|
|
| mv_expand event.category
|
|
| where @timestamp > now() - 7 day
|
|
| where host.os.type == "linux" and event.category == "authentication" and event.action in ("ssh_login", "user_login") and
|
|
event.outcome in ("failure", "success") and source.ip is not null and
|
|
not CIDR_MATCH(source.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")
|
|
| eval failed = case(event.outcome == "failure", source.ip, null), success = case(event.outcome == "success", source.ip, null)
|
|
| stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(user.name) by source.ip
|
|
/* below threshold should be adjusted to your env logon patterns */
|
|
| where count_failed >= 100 and count_user >= 20
|
|
'''
|
|
]
|