mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
IDH - Play - ssh
This commit is contained in:
Josh Brower
18
salt/idh/Plays/IDH_SSH.yaml
Normal file
18
salt/idh/Plays/IDH_SSH.yaml
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
title: SO IDH - SSH Accessed
|
||||||
|
status: experimental
|
||||||
|
description: Detects when the SSH service on a SO IDH node has been probed.
|
||||||
|
author: Security Onion Solutions
|
||||||
|
logsource:
|
||||||
|
product: idh
|
||||||
|
detection:
|
||||||
|
selection:
|
||||||
|
event.code:
|
||||||
|
- 4000
|
||||||
|
- 4001
|
||||||
|
- 4002
|
||||||
|
condition: selection
|
||||||
|
falsepositives:
|
||||||
|
- None
|
||||||
|
fields:
|
||||||
|
- source.ip
|
||||||
|
level: critical
|
||||||
Reference in New Issue
Block a user