legitimate user wrong password attempts.

t1021
t1021.004
t1078
t1078.004
t1110
bitbucket
sigma

Techniques

t1021
t1021.004
t1078
t1078.004
t1110

Sample rules

source: sigma
technicques:
- t1078
- t1078.004
- t1110

Description

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on “author.name” field.

Detection logic

condition: selection
selection:
  auditType.action: User login failed
  auditType.category: Authentication

source: sigma
technicques:
- t1021
- t1021.004
- t1110

Description

Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on “author.name” field.

Detection logic

condition: selection
selection:
  auditType.action: User login failed(SSH)
  auditType.category: Authentication

Techniques

Sample rules

Bitbucket User Login Failure

Description

Detection logic

Bitbucket User Login Failure Via SSH

Description

Detection logic