SigmaHQ/rules/linux/lnx_susp_failed_logons_single_source.yml

title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
logsource:
    product: linux
    service: auth
detection:
    selection:
        pam_message: "authentication failure"
        pam_user: '*'
        pam_rhost: '*'
    timeframe: 24h 
    condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
    - Terminal servers
    - Jump servers
    - Workstations with frequently changing users 
level: medium
Replicated 'susp_failed_logons_single_source' to Linux. 2017-01-10 23:26:22 +00:00			`title: Multiple Failed Logins with Different Accounts from Single Source System`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`description: Detects suspicious failed logins with different user accounts from a single source system`
			`logsource:`
			`product: linux`
Fixed rules * Replaced unspecified logsource attribute 'type' with 'category' * Usage of service 'auth' for linux logs 2017-09-10 22:35:52 +00:00			`service: auth`
Replicated 'susp_failed_logons_single_source' to Linux. 2017-01-10 23:26:22 +00:00			`detection:`
			`selection:`
Fixed rule 2018-03-04 21:07:01 +00:00			`pam_message: "authentication failure"`
Adjusted rules to the new specs reg "not null" usage 2018-06-28 07:30:12 +00:00			`pam_user: '*'`
			`pam_rhost: '*'`
Removed 'last' keyword from 'timeframe' fields 2017-02-28 16:52:40 +00:00			`timeframe: 24h`
Replicated 'susp_failed_logons_single_source' to Linux. 2017-01-10 23:26:22 +00:00			`condition: selection \| count(pam_user) by pam_rhost > 3`
			`falsepositives:`
			`- Terminal servers`
			`- Jump servers`
			`- Workstations with frequently changing users`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: medium`