[Juniper SRX] Add event.category and event.outcome to failed SSH login attempt #11834

Oddly · 2024-11-22T12:47:44Z

We have added Juniper switches to this integration, but we see no SIEM alerts on failed SSH attempts to this switch.
Looking at this integration, it seems like this can be added easily by doing the following steps.

Original event:

<37>1 2024-11-22T12:45:00.207+01:00 ams-edge-sw-003 sshd - SSHD_LOGIN_FAILED [[email protected] username="user1" source-address="192.168.0.3"]

This are the relevant fields as parsed by the integration:

juniper.srx.tag: SSHD_LOGIN_FAILED
source.user.name: user1

It seems to me that by filtering for "SSHD_LOGIN_FAILED" and then setting event.category (authentication) and event.outcome (failed ?) this can be easily added to existing SIEM alerts.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2024-11-22T13:48:43Z

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

jamiehynds added Integration:juniper_srx Juniper SRX Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Nov 22, 2024

jamiehynds added the mapping/pipeline issue label Nov 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Juniper SRX] Add event.category and event.outcome to failed SSH login attempt #11834

[Juniper SRX] Add event.category and event.outcome to failed SSH login attempt #11834

Oddly commented Nov 22, 2024

elasticmachine commented Nov 22, 2024

[Juniper SRX] Add event.category and event.outcome to failed SSH login attempt #11834

[Juniper SRX] Add event.category and event.outcome to failed SSH login attempt #11834

Comments

Oddly commented Nov 22, 2024

elasticmachine commented Nov 22, 2024