Successful SSH Authentication from Unusual User

This rule leverages the new_terms rule type to detect successful SSH authentications by a user who has not been authenticated in the last 10 days. This behavior may indicate an attacker attempting to gain access to the system using a valid account.

Rule type: new_terms

Rule indices:

logs-system.auth-*
filebeat-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.category:authentication and host.os.type:linux and event.action:ssh_login and event.outcome:success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

« Successful SSH Authentication from Unusual SSH Public Key Sudo Command Enumeration Detected »