mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
IDH - Play - ssh
This commit is contained in:
Josh Brower
18
salt/idh/Plays/IDH_SSH.yaml
Normal file
18
salt/idh/Plays/IDH_SSH.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
title: SO IDH - SSH Accessed
|
||||
status: experimental
|
||||
description: Detects when the SSH service on a SO IDH node has been probed.
|
||||
author: Security Onion Solutions
|
||||
logsource:
|
||||
product: idh
|
||||
detection:
|
||||
selection:
|
||||
event.code:
|
||||
- 4000
|
||||
- 4001
|
||||
- 4002
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- None
|
||||
fields:
|
||||
- source.ip
|
||||
level: critical
|
||||
Reference in New Issue
Block a user