SigmaHQ/rules/linux/lnx_susp_failed_logons_single_source.yml

title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
logsource:
    product: linux
    service: syslog
detection:
    selection:
        log: auth
        pam_user: not null
        pam_rhost: not null
    timeframe: last 24h 
    condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
    - Terminal servers
    - Jump servers
    - Workstations with frequently changing users 
level: medium
Replicated 'susp_failed_logons_single_source' to Linux. 2017-01-10 23:26:22 +00:00			`title: Multiple Failed Logins with Different Accounts from Single Source System`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`description: Detects suspicious failed logins with different user accounts from a single source system`
			`logsource:`
			`product: linux`
			`service: syslog`
Replicated 'susp_failed_logons_single_source' to Linux. 2017-01-10 23:26:22 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`log: auth`
			`pam_user: not null`
			`pam_rhost: not null`
Replicated 'susp_failed_logons_single_source' to Linux. 2017-01-10 23:26:22 +00:00			`timeframe: last 24h`
			`condition: selection \| count(pam_user) by pam_rhost > 3`
			`falsepositives:`
			`- Terminal servers`
			`- Jump servers`
			`- Workstations with frequently changing users`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: medium`