SSH brute force attempt

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

2 Hours

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • AWS Flow Log
      OR
    • AWS OCSF Flow Logs
      OR
    • Azure Flow Log
      OR
    • Gcp Flow Log
      OR
    • Palo Alto Networks Platform Logs
      OR
    • Third-Party Firewalls
  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force (T1110)

Severity

Informational

Description

There were multiple attempts to authenticate via SSH to a host in your network. This may indicate a brute force attack.

Attacker's Goals

Attackers attempt to log in to a remote host.

Investigative actions

Audit the failed authentication attempts in the SSH server to identify the abused user. If the abused user can authenticate to the SSH server, it may indicate that the attacker managed to compromise the user credentials.

Variations

SSH brute force network detected from external source

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force (T1110)

Severity

Informational

Description

There were multiple attempts to authenticate via SSH to a host in your network. This may indicate a brute force attack.

Attacker's Goals

Attackers attempt to log in to a remote host.

Investigative actions

Audit the failed authentication attempts in the SSH server to identify the abused user. If the abused user can authenticate to the SSH server, it may indicate that the attacker managed to compromise the user credentials.


Rare SSH brute force attempt

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Brute Force (T1110)

Severity

Low

Description

There were multiple attempts to authenticate via SSH to a host in your network. This may indicate a brute force attack.

Attacker's Goals

Attackers attempt to log in to a remote host.

Investigative actions

Audit the failed authentication attempts in the SSH server to identify the abused user. If the abused user can authenticate to the SSH server, it may indicate that the attacker managed to compromise the user credentials.