UBA : Detect Persistent SSH session

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Detect Persistent SSH session

Enabled by default

False

Default senseValue

10

Description

Detects SSH sessions that are active for more than 10 hours.

Support rules

  • BB:UBA : Common Event Filters
  • BB:UBA : SSH Session Closed
  • BB:UBA : SSH Session Opened

Required configuration

This rule requires both SSH Opened and SSH Closed events to occur for an accurate detection. If the log source that is used does not have an eventID for both events, you might receive inaccurate results. See the Data sources to determine eventIDs for the log source in use.

Log source types (SSH Opened)

Centrify Infrastructure Services (EventID: 27100, 27104)

Cisco IOS (EventID: %SSH-5-SSH2_SESSION, %SSH-SW2-5-SSH2_SESSION)

Custom Rule Engine (EventID: 18037, 3071)

Cyber-Ark Vault (EventID: 378)

Extreme XSR Security Routers (EventID: NEW_SSH_CONNECTION)

Flow Classification Engine (EventID: 3071, 18037)

Huawei S Series Switch (EventID: SSH/4/SFTP_REQ_RECORD)

HyTrust CloudControl (EventID: AUN0120, unknown)

IBM AIX Server (EventID: sshd2 connection established, ssh-server connect, ssh-server session open)

IBM DataPower (EventID: 0x8100011e, 0x810001e4, 0x810001e5)

Juniper MX Series Ethernet Services Router (EventID: SSH)

Juniper Networks AVT (EventID: SSH)

Mac OS X (EventID: OSX ssh session started)

OS Services Qidmap (EventID: Connection from, pam_open_session, pam_sm_open_session)

Solaris Operating System Authentication Messages (EventID: ssh session opened)

Universal DSM (EventID: SSH Opened, SSH Session Started)

Log source types (SSH Closed)

Aruba Mobility Controller (EventID: sshd_disconnect)

Centrify Infrastructure Services (EventID: 27102)

Cisco IOS (EventID: %SSH-5-SSH_CLOSE, %SSH-SW2-5-SSH2_CLOSE, %SSH-5-SSH2_CLOSE)

Custom Rule Engine (EventID: 3072, 18038, 18040)

Cyber-Ark Vault (EventID: 380, 381)

Flow Classification Engine (EventID: 3072, 18038, 18040)

Huawei S Series Switch (EventID: SSH/6/RECV_DISCONNECT)

IBM AIX Server (EventID: ssh-server disconnect, sshd2 connection lost, SSH Disconnect, sshd2 local disconnect, ssh-server session close)

OS Services Qidmap (EventID: Done with connection, pam_sm_close_session, pam_close_session, Did not receive identification string, Connection timed out, Received disconnect from IP, Connection closed)

Pulse Secure Pulse Connect Secure (EventID: GWE24572)

Universal DSM (EventID: SSH Terminated, SSH Session Finished, SSH Closed)