OpenCanary - SSH New Connection Attempt

 1title: OpenCanary - SSH New Connection Attempt
 2id: cd55f721-5623-4663-bd9b-5229cab5237d
 3status: test
 4description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
 5references:
 6    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
 7    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
 8author: Security Onion Solutions
 9date: 2024-03-08
10tags:
11    - attack.privilege-escalation
12    - attack.defense-evasion
13    - attack.initial-access
14    - attack.lateral-movement
15    - attack.persistence
16    - attack.t1133
17    - attack.t1021
18    - attack.t1078
19logsource:
20    category: application
21    product: opencanary
22detection:
23    selection:
24        logtype: 4000
25    condition: selection
26falsepositives:
27    - Unlikely
28level: high

References

• Configuration — OpenCanary 0.9 documentation

  Configuration Since we have many services, and each service has a few options, we have listed them all for you. Services Configuration We have gone ahead and listed all the services by their config...

  
  Read More

• opencanary/opencanary/logger.py at a0896adfcaf0328cfd5829fe10d2878c7445138e · thinkst/opencanary

  

  Modular and decentralised honeypot. Contribute to thinkst/opencanary development by creating an account on GitHub.

  
  Read More

Related rules

• OpenCanary - SSH Login Attempt
• AWS Suspicious SAML Activity
• External Remote RDP Logon from Public IP
• External Remote SMB Logon from Public IP
• Failed Logon From Public IP