Hi, I'm new with Elastic SIEM and now I need to create a rule to detect ssh successful login with multiple IP address with the same username. I wonder how can I create a rule like this since if I using Custon Query or Threshold type, it will be stick to 1 IP only. filebaet and auditbeat is running …

Siem Rule to detect ssh login with multiple source address

madduck September 7, 2020, 12:29pm 2

Hi Kambing,

What you are trying to do is not possible with the static detection rules. You might want to look into Machine Learning rules.

A similar question was asked two weeks ago, if you want to read a bit here is a link:

1 Like

Topic		Replies	Views
SIEM Threshold - unique values SIEM	6	1358	September 29, 2020
SIEM custom rule to generate an alert if multiple users attempts with same source IP or same mac address Elastic Security elastic-stack-alerting	3	809	December 30, 2021
Network Scan SIEM detection-rules	6	600	February 9, 2023
SIEM feature request SIEM	5	517	October 29, 2020
SIEM open rules Elastic Security	3	605	October 7, 2021