Unusual SSH Activity

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-06-24
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

2 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • Palo Alto Networks Platform Logs
  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Protocol Tunneling (T1572)

Severity

Informational

Description

Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the client IP/Agent for using known intelligence tools.
  • Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.

Variations

Unusual, long SSH activity with tunnel characteristics

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Protocol Tunneling (T1572)

Severity

Low

Description

Unusual SSH activity was detected that involved a high volume of data transfer and abnormal session duration.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the client IP/Agent for using known intelligence tools.
  • Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.


Unusual SSH activity with tunnel characteristics to external destination

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Protocol Tunneling (T1572)

Severity

Low

Description

Unusual SSH activity was detected that involved a higher than usual volume of data transfer and an abnormally long session.

Attacker's Goals

Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.

Investigative actions

  • Review the client IP/Agent for using known intelligence tools.
  • Investigate the user accounts involved in the SSH connections to determine if credentials were compromised, Additionally examine logs for any unexpected data transfers or commands that may indicate malicious intent.