valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a4e62fcb1b
SigmaHQ/rules/linux/lnx_susp_failed_logons_single_source.yml
Thomas Patzke 0592cbb67a Added UUIDs to rules
2019-11-12 23:12:27 +01:00

19 lines
588 B
YAML
Raw Blame History

title: Multiple Failed Logins with Different Accounts from Single Source System
id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
description: Detects suspicious failed logins with different user accounts from a single source system
logsource:
product: linux
service: auth
detection:
selection:
pam_message: authentication failure
pam_user: '*'
pam_rhost: '*'
timeframe: 24h
condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
- Terminal servers
- Jump servers
- Workstations with frequently changing users
level: medium
Reference in New Issue View Git Blame Copy Permalink