API

SSH login by password guesser from Zeek

Docs > Datadog Security > OOTB Rules > SSH login by password guesser from Zeek

This rule is part of a beta feature. To learn more, contact Support.

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the zeek integration.

Goal

Detect the SSH login by password guesser notice.

Strategy

This rule monitors Zeek logs for the notice SSH::Login_By_Password_Guesser. The notice is generated if a successful login attempt is detected for a host that has been previously identified as a “password guesser”.

Triage and response

Identify the owners of the host that has been accessed.
Work with the team to understand if this authentication was expected/legitimate.
If it is determined that the activity is malicious:
- Block the IP address, if it aligns with organization incident response processes.
- Begin your organization’s incident response process and investigate.