You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This hunt identifies excessive SSH network activity to unique destinations on Linux systems. It monitors network connections over TCP to port 22 (SSH) and counts the number of unique destination IP addresses. A high number of unique destinations could indicate suspicious activity such as discovery or lateral movement.
"""
integration = ["endpoint"]
uuid = "223f812c-a962-4d58-961d-134d8f8b15da"
name = "Excessive SSH Network Activity to Unique Destinations"
language = ["ES|QL"]
license = "Elastic License v2"
notes = [
"Monitors network connections to port 22 (SSH) and counts the number of unique destination IP addresses per host and user.",
"A high number of unique destinations can indicate suspicious activity such as discovery or lateral movement.",
"The threshold of 10 unique destinations can be adjusted to suit the environment's baseline activity."
]
mitre = ["T1021.004", "T1078.003"]
query = [
'''
from logs-endpoint.events.network-*
| where @timestamp > now() - 7 day
| where host.os.type == "linux" and event.category == "network" and network.transport == "tcp" and destination.port == 22 and source.port >= 49152
| keep destination.ip, host.id, user.name
| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name
// Alter this threshold to make sense for your environment