SSH watched country login notice from Zeek

This rule is part of a beta feature. To learn more, contact Support.
zeek

Classification:

attack

Set up the zeek integration.

Goal

Detect the SSH watched country login notice.

Strategy

This rule monitors Zeek logs for the notice SSH::Watched_Country_Login. The notice is generated if an SSH login is seen originating to or from a “watched” country based on the SSH::watched_countries variable.

Triage and response

  1. Identify the owners of the host that has been accessed.
  2. Work with the team to understand if this authentication was expected/legitimate.
  3. If it is determined that the activity is malicious:
    • Block the IP address, if it aligns with organization incident response processes.
    • Begin your organization’s incident response process and investigate.