Techniques
Sample rules
Successful SSH Authentication from Unusual SSH Public Key
- source: elastic
- technicques:
- T1078
Description
This rule leverages the new_terms rule type to detect successful SSH authentications via a public key that has not been seen in the last 10 days. Public key authentication is a secure method for authenticating users to a server. Monitoring unusual public key authentication events can help detect unauthorized access attempts or suspicious activity on the system.
Detection logic
event.category:authentication and host.os.type:linux and event.action:ssh_login and event.outcome:success and system.auth.ssh.method:publickey
Successful SSH Authentication from Unusual User
- source: elastic
- technicques:
- T1078
Description
This rule leverages the new_terms rule type to detect successful SSH authentications by a user who has not been authenticated in the last 10 days. This behavior may indicate an attacker attempting to gain access to the system using a valid account.
Detection logic
event.category:authentication and host.os.type:linux and event.action:ssh_login and event.outcome:success