IDH - Import & Enables Plays

salt/idh/plays/idh_ftp.yml

@@ -0,0 +1,17 @@
+title: SO IDH - FTP Login Attempt
+id: d2d82069-30a7-4ac3-b584-ba696fbc24fd
+status: experimental
+description: Detects when the FTP service on a SO IDH node has had a login attempt.
+author: Security Onion Solutions
+logsource:
+  product: idh
+detection:
+  selection:
+    event.code:
+    - 2000
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical

salt/idh/plays/idh_httpproxy.yml

@@ -0,0 +1,17 @@
+title: SO IDH - HTTP Proxy Attempted Proxy
+id: 6722bba8-5713-4463-b3ab-8432224928c2
+status: experimental
+description: Detects when the HTTP Proxy service on a SO IDH node has had a proxy attempt.
+author: Security Onion Solutions
+logsource:
+  product: idh
+detection:
+  selection:
+    event.code:
+    - 2000
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical

salt/idh/plays/idh_ssh.yml

@@ -1,6 +1,7 @@
-title: SO IDH - SSH Accessed
+title: SO IDH - SSH Login Attempt
+id: b7a09f0a-88ca-4fe0-bc8a-92106133e231
 status: experimental
-description: Detects when the SSH service on a SO IDH node has been probed.
+description: Detects when the SSH service on a SO IDH node has had a login attempt.
 author: Security Onion Solutions
 logsource:
   product: idh

salt/idh/plays/idh_tftp.yml

@@ -0,0 +1,17 @@
+title: SO IDH - TFTP Requests
+id: 6722bba8-5713-4463-b3ab-8432224928c2
+status: experimental
+description: Detects when the TFTP service on a SO IDH node has had requests.
+author: Security Onion Solutions
+logsource:
+  product: idh
+detection:
+  selection:
+    event.code:
+    - 2000
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical