OCI - SSH scanner

Back


Id	e087d4fb-af0b-4e08-a067-b9ba9e5f8840
Rulename	OCI - SSH scanner
Description	Detects possible SSH scanning activity.
Severity	High
Tactics	Reconnaissance
Techniques	T1595
Required data connectors	OracleCloudInfrastructureLogsConnector
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCISSHScan.yaml
Version	1.0.1
Arm template	e087d4fb-af0b-4e08-a067-b9ba9e5f8840.json

KQL

let threshold = 5;
OCILogs
| where EventType contains 'vcn.flowlogs'
| where data_action_s =~ 'REJECT'
| where ipv4_is_private(DstIpAddr)
| where ipv4_is_private(SrcIpAddr) == False
| where DstPortNumber == 22
| summarize p_count = dcount(DstIpAddr) by SrcIpAddr, bin(TimeGenerated, 5m)
| where p_count > threshold
| extend IPCustomEntity = SrcIpAddr

YAML

id: e087d4fb-af0b-4e08-a067-b9ba9e5f8840
query: |
  let threshold = 5;
  OCILogs
  | where EventType contains 'vcn.flowlogs'
  | where data_action_s =~ 'REJECT'
  | where ipv4_is_private(DstIpAddr)
  | where ipv4_is_private(SrcIpAddr) == False
  | where DstPortNumber == 22
  | summarize p_count = dcount(DstIpAddr) by SrcIpAddr, bin(TimeGenerated, 5m)
  | where p_count > threshold
  | extend IPCustomEntity = SrcIpAddr  
description: |
    'Detects possible SSH scanning activity.'
requiredDataConnectors:
- connectorId: OracleCloudInfrastructureLogsConnector
  dataTypes:
  - OCILogs
tactics:
- Reconnaissance
status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
kind: Scheduled
name: OCI - SSH scanner
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Oracle Cloud Infrastructure/Analytic Rules/OCISSHScan.yaml
version: 1.0.1
relevantTechniques:
- T1595
severity: High
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0

ARM