sigma-rules/hunting/linux/docs/login_activity_by_source_address.md

Logon Activity by Source IP

---

Metadata

• Author: Elastic

• Description: This hunt identifies unusual logon activity by source IP on Linux systems. It monitors authentication events, focusing on failed logon attempts from specific IP addresses. A high number of failed logon attempts combined with a low number of successful logons and multiple distinct usernames can indicate a potential brute force or credential stuffing attack.

• UUID: 95c1467d-d566-4645-b5f1-37a4b0093bb6

• Integration: endpoint

• Language: [ES|QL]

• Source File: Logon Activity by Source IP

Query

from logs-system.auth-*
| where @timestamp > now() - 7 day
| where host.os.type == "linux" and event.category == "authentication" and event.action in ("ssh_login", "user_login") and
  event.outcome == "failure" and source.ip IS NOT null and not CIDR_MATCH(source.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")
| eval failed = case(event.outcome == "failure", source.ip, null), success = case(event.outcome == "success", source.ip, null)
| stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(user.name) by source.ip
 /* below threshold should be adjusted to your env logon patterns */
| where count_failed >= 100 and count_success <= 10 and count_user >= 20

Notes

• Monitors authentication events and counts failed and successful logon attempts by source IP address.
• A high number of failed logon attempts combined with a low number of successful logons and multiple distinct usernames can indicate a potential brute force or credential stuffing attack.
• The thresholds for failed attempts, successful logons, and distinct usernames should be adjusted based on the environment's normal logon patterns.

MITRE ATT&CK Techniques

• T1110
• T1078

License

• Elastic License v2