Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Generate SSH Failed Login Attempt Alert on Elastic Security


MachineIP
Victim10.10.30.102
Attacker10.10.3.2

Create Detection Rule

  • Choose Threshold under Define rule.

Pasted_image_20250620123555.png

  • Under Source choose Data View and choose logs-* under that as shown below.

Pasted_image_20250620123843.png

  • Use the below KQL query to query failed or invalid ssh auth events.
  • Group by source.ip, i.e., from where ssh auth request is orginating from.
  • Set Threshold value as 10, i.e., if there are 10 or more failed/invalid auth events, then a alert will be triggered.
system.auth.ssh.event : "Failed" or system.auth.ssh.event: "Invalid"
  • Continue to the next section. Fill the details as appropriate.

Pasted_image_20250620125517.png Pasted_image_20250620125619.png

Simulate attack

medusa -h 10.10.30.102 -u testuser -P passwords.txt -M ssh

Pasted_image_20250620130723.png

Note: The victim machine must send logs to Elastic (via elastic agent) for alert generation.

Detection

  • Wait 5 min after simulating the attack and navigate to Elastic Security

Pasted_image_20250620130846.png