title: SO IDH - SSH Login Attempt
id: b7a09f0a-88ca-4fe0-bc8a-92106133e231
status: experimental
description: Detects when the SSH service on a SO IDH node has had a login attempt.
author: Security Onion Solutions
logsource:
  product: idh
detection:
  selection:
    event.code:
    - 4000
    - 4001
    - 4002
  condition: selection
falsepositives:
  - None
fields:
  - source.ip
level: critical