valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f0663c8412
SigmaHQ/rules/linux/lnx_susp_failed_logons_single_source.yml
Mike Wade 52ab677798 Fixed my git issue
2020-09-13 22:03:04 -06:00

22 lines
638 B
YAML
Raw Blame History

title: Failed Logins with Different Accounts from Single Source System
id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
status: experimental
description: Detects suspicious failed logins with different user accounts from a single source system
author: Florian Roth
date: 2017/02/16
logsource:
product: linux
service: auth
detection:
selection:
pam_message: authentication failure
pam_user: '*'
pam_rhost: '*'
timeframe: 24h
condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
- Terminal servers
- Jump servers
- Workstations with frequently changing users
level: medium
Reference in New Issue View Git Blame Copy Permalink