From eea2b9ccfd9a0040da573544fa4b50d9abcfa18a Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Mon, 21 Feb 2022 16:43:26 -0500
Subject: [PATCH] IDH - Play - ssh

---
 salt/idh/Plays/IDH_SSH.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 salt/idh/Plays/IDH_SSH.yaml

diff --git a/salt/idh/Plays/IDH_SSH.yaml b/salt/idh/Plays/IDH_SSH.yaml
new file mode 100644
index 000000000..1d4e7ece4
--- /dev/null
+++ b/salt/idh/Plays/IDH_SSH.yaml
@@ -0,0 +1,18 @@
+title: SO IDH - SSH Accessed
+status: experimental
+description: Detects when the SSH service on a SO IDH node has been probed.
+author: Security Onion Solutions
+logsource:
+  product: idh
+detection:
+  selection:
+    event.code:
+    - 4000
+    - 4001
+    - 4002
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical
\ No newline at end of file