LoFP LoFP / this rule may trigger in cases where a user has routine work patterns that result in infrequent authentications.

Techniques

Sample rules

Successful SSH Authentication from Unusual SSH Public Key

Description

This rule leverages the new_terms rule type to detect successful SSH authentications via a public key that has not been seen in the last 10 days. Public key authentication is a secure method for authenticating users to a server. Monitoring unusual public key authentication events can help detect unauthorized access attempts or suspicious activity on the system.

Detection logic

event.category:authentication and host.os.type:linux and event.action:ssh_login and event.outcome:success and system.auth.ssh.method:publickey

Successful SSH Authentication from Unusual User

Description

This rule leverages the new_terms rule type to detect successful SSH authentications by a user who has not been authenticated in the last 10 days. This behavior may indicate an attacker attempting to gain access to the system using a valid account.

Detection logic

event.category:authentication and host.os.type:linux and event.action:ssh_login and event.outcome:success