SSH password guessing notice from Zeek

This rule is part of a beta feature. To learn more, contact Support.

Set up the zeek integration.

Goal

Detect the SSH password guesser notice.

Strategy

This rule monitors Zeek logs for the notice SSH::Password_Guessing. The notice is generated when a host exceeds the failed logins SSH::password_guesses_limit threshold.

Triage and response

  1. Identify the owners of the host that has been accessed.
  2. Work with the team to understand if this authentication was expected/legitimate.
  3. If it is determined that the activity is malicious:
    • Block the IP address, if it aligns with organization incident response processes.
    • Begin your organization’s incident response process and investigate.