Anomalous failed SSH authentication attempts by a single IP address

This rule is part of a beta feature. To learn more, contact Support.

Set up the zeek integration.

Goal

Detect when an anomalous number of failed SSH authentication attempts have been made by a single IP address.

Strategy

This rule monitors Zeek SSH logs for when there has been an anomalous number of failed SSH authentication attempts by a single IP address. Attackers may try to brute force access to a server to gain direct or lateral access to a victim’s environment.

Triage and response

  1. Verify whether the client IP {{@network.client.ip}} is internal or external.
  2. For internal IPs, identify the corresponding host and collaborate with the owner to investigate any host-based alerts, addressing potential compromises.
  3. For external IPs, assess the IP address reputation, specifically looking for associations with SSH-based attacks, and determine if the destination host should be accessible via external IPs over SSH.