Day 14: Creating SSH Brute Force Alerts and Dashboards in Kibana
Welcome to Day 14 of the 30-Day MYDFIR SOC Analyst Challenge! Today’s goal is to help you create an SSH brute force alert and set up a Kibana dashboard to visualize the sources of these attacks. This hands-on lab will allow you to monitor failed SSH authentication attempts and set up alerts for brute force activity, an essential skill for any SOC analyst.
What is a Brute Force Attack?
A brute force attack occurs when an attacker tries multiple password combinations in an attempt to gain unauthorized access to a system. This method of attack can result in numerous failed login attempts, which can be identified by analyzing SSH logs.
Step 1: Querying Logs in Kibana
We’ll start by querying the logs from the SSH server that are being ingested into our Elasticsearch instance. To do this:
1. Open Kibana and go to the Discover tab.
2. Filter the logs based on the SSH server. Use the agent name filter to select your specific SSH server
3. Check if logs are being ingested correctly by examining the event count. For instance, you might see thousands of events, depending on your server's activity.
Next, search for failed authentication attempts. These failed attempts will often signal brute force activity, as attackers try multiple password combinations. Use the available fields to locate important information, such as:
- Failed attempts
- Usernames
- Source IPs
To do this:
- Filter by the system.auth.ssh.event field, which should contain values like "failed," "invalid," or "accepted."
- Add the field to your view by clicking the plus icon. You should also filter for failed login attempts specifically.
- Check for the source IP to identify the origin of the attacks.
By adding the source.ip and source.geo.country_name fields, you can see where the failed authentication attempts are coming from, potentially spotting trends in certain regions.
领英推荐
Step 2: Creating the Brute Force Alert
Once you have the query set up, it's time to create an alert. This alert will notify you when brute force activity is detected based on your predefined conditions. Follow these steps:
1. Save the search by clicking Save in the top-right corner. Name it something like "SSH Failed Activity."
2. Go to the Alerts tab and click Create Threshold Rule to begin setting up the alert.
3. Name your alert.
4. Configure the alert conditions. For example, you can set it to trigger if there are more than five failed login attempts in 1 minutes, which is a common indicator of brute force attacks.
5. Test your query by adjusting the time range (e.g., last five minutes or last five days). This helps verify that the query captures the correct events.
6. Set the frequency for how often you want the rule to check for events (e.g., every minute).
After saving the alert, it will monitor the logs and trigger whenever the conditions are met.
Step 3: Building a Dashboard for Visualization
To better understand where these attacks are coming from, you can visualize them using Kibana’s Maps feature:
1. Go to the Maps tab under the Analytics section.
2. Use the saved query from earlier (SSH failed activity) as the data source.
3. Now we will add a layer to visually see the data. Click on Add Layer on the top right corner.
We can select all these different types of layer to display data differently. For now I am using Choropleth.
3. Plot the source IPs and country information on the map. This will allow you to see a geographical representation of where brute force attempts are originating from. Hit Add and continue.
4. Customize your map to show regions with high attack activity, helping you monitor trends over time.
5. Similarly you can also create a dashboard to showcase successful attempts. The screenshot below shows 1 failed attempt and 0 successful attempt in the last 15 minutes. You can change to different durations for example last 15 days, last hour, etc.
Conclusion
By the end of this challenge, you’ve successfully created an alert for SSH brute force activity and set up a dashboard to visualize the origin of these attacks. These skills are crucial for any SOC analyst, providing real-time monitoring and insights into potential security threats. Keep practicing and exploring Kibana’s features to refine your alerts and dashboards further!