Siem Rule to detect ssh login with multiple source address

Hi, I'm new with Elastic SIEM and now I need to create a rule to detect ssh successful login with multiple IP address with the same username. I wonder how can I create a rule like this since if I using Custon Query or Threshold type, it will be stick to 1 IP only.

filebaet and auditbeat is running already on the server and I can see SSH logs in the discovery

Thank you

Hi Kambing,

What you are trying to do is not possible with the static detection rules. You might want to look into Machine Learning rules.

A similar question was asked two weeks ago, if you want to read a bit here is a link:

1 Like

Hi Madduck,

Thanks for the reply
currently I'm trying to use painless script to compare if there's a login with same username but with different IP. however, I still have no clue how to do loop through all documents in that index.

I also think to create new pipeline and add script in the processors so only the new log that will do the lookup throughout current existing documents.