Successful SSH Authentication from Unusual User

 1[metadata]
 2creation_date = "2025/02/21"
 3integration = ["system"]
 4maturity = "production"
 5updated_date = "2025/02/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule leverages the new_terms rule type to detect successful SSH authentications by a user
11who has not been authenticated in the last 10 days. This behavior may indicate an attacker
12attempting to gain access to the system using a valid account.
13"""
14false_positives = [
15    """
16    This rule may trigger in cases where a user has routine work patterns that result in infrequent authentications.
17    """,
18]
19from = "now-9m"
20index = ["logs-system.auth-*", "filebeat-*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Successful SSH Authentication from Unusual User"
24risk_score = 21
25rule_id = "5b8d7b94-23c6-4e3f-baed-3a4d0da4f19d"
26severity = "low"
27tags = [
28    "Domain: Endpoint",
29    "OS: Linux",
30    "Use Case: Threat Detection",
31    "Tactic: Initial Access",
32    "Data Source: Elastic Defend"
33]
34timestamp_override = "event.ingested"
35type = "new_terms"
36query = '''
37event.category:authentication and host.os.type:linux and event.action:ssh_login and event.outcome:success
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[rule.threat.tactic]
44id = "TA0001"
45name = "Initial Access"
46reference = "https://attack.mitre.org/tactics/TA0001/"
47
48[[rule.threat.technique]]
49id = "T1078"
50name = "Valid Accounts"
51reference = "https://attack.mitre.org/techniques/T1078/"
52
53[rule.new_terms]
54field = "new_terms_fields"
55value = ["related.user"]
56
57[[rule.new_terms.history_window_start]]
58field = "history_window_start"
59value = "now-10d"