OpenCanary - MySQL Login Attempt

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

Sigma rule (View on GitHub)

 1title: OpenCanary - MySQL Login Attempt
 2id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
 3status: experimental
 4description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
 5references:
 6    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
 7    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 8author: Security Onion Solutions
 9date: 2024-03-08
10tags:
11    - attack.credential-access
12    - attack.collection
13    - attack.t1003
14    - attack.t1213
15logsource:
16    category: application
17    product: opencanary
18detection:
19    selection:
20        logtype: 8001
21    condition: selection
22falsepositives:
23    - Unlikely
24level: high

References

Related rules

to-top