import: audit.incl

filter:
  - term:
      system.auth.ssh.event: Accepted
  - term:
      ident: sshd
realert:
  minutes: 0
type: any

alert_subject: "ElastAlert: SSH Login"
alert_text_type: alert_text_only
alert_text: "SSH Login into {0} {1}/{2} as {3} from {4}"
alert_text_args:
  - source.hostname
  - source.region
  - source.conglomerate
  - system.auth.user
  - system.auth.ip