21 lines
385 B
YAML
21 lines
385 B
YAML
import: audit.incl
|
|
|
|
filter:
|
|
- term:
|
|
system.auth.ssh.event: Accepted
|
|
- term:
|
|
ident: sshd
|
|
realert:
|
|
minutes: 0
|
|
type: any
|
|
|
|
alert_subject: "ElastAlert: SSH Login"
|
|
alert_text_type: alert_text_only
|
|
alert_text: "SSH Login into {0} {1}/{2} as {3} from {4}"
|
|
alert_text_args:
|
|
- source.hostname
|
|
- source.region
|
|
- source.conglomerate
|
|
- system.auth.user
|
|
- system.auth.ip
|