heroui logo

SSH (Secure Shell) to the Internet

Elastic Detection Rules

View Source
Summary
This detection rule identifies potentially unauthorized SSH (Secure Shell) traffic originating from internal networks to the internet, which may indicate attempts at remote system control by malicious actors. SSH is typically utilized by system administrators for command line interface access to servers, but when exposed to the internet without adequate security measures, it becomes a target for threat actors aiming for initial access or a backdoor into networks. The rule uses a KQL (Kibana Query Language) query to filter network events where the traffic protocol is TCP, targeting port 22, which is the default port for SSH. It assesses the source of the traffic to ensure that it originates from private internet ranges, while excluding traffic to known internal and multicast addresses. A low-risk score of 21 suggests that while it's a concern, it's not among the highest priority threats. The false positive section highlights that legitimate usage of SSH for cloud access or specific workflows by engineers may inadvertently trigger alerts, thus emphasizing the need for contextual analysis of the traffic. This rule is deprecated since April 2021, meaning it's no longer current or recommended for use in active detection efforts.
Categories
  • Network
  • Endpoint
  • Cloud
Data Sources
  • Network Traffic
  • Process
  • Application Log
  • Logon Session
Created: 2020-02-18