KQL Search

Query Details

HomeAI ToolsDevice Query

Leveraging Sentinel UEBA To Safeguard Against Open SSH Vulnerability Exploits

Query

// Leveraging Sentinel UEBA to safeguard against OpenSSH vulnerability exploits 
// https://www.linkedin.com/posts/activity-7217745435635900416-ZIa7/

// Using Sentinel UEBA threat intelligence data, you can identify the IP addresses of SSH BruteForce attackers targeting your cloud or on-premises environment. By adding these IPs to your firewall block list, you can enhance protection against OpenSSH vulnerability exploits, specifically CVE-2024-6387 (hashtag#RegreSSHion) and CVE-2024-6409 (hashtag#Privsep).

BehaviorAnalytics
| where TimeGenerated > ago(90d)
| extend ThreatIntelIndicatorDescription = DevicesInsights.ThreatIntelIndicatorDescription
| where isnotempty( ThreatIntelIndicatorDescription ) 
| where ThreatIntelIndicatorDescription contains "destination_port_numbers: 22" and 
ThreatIntelIndicatorDescription contains "A BruteForce indicator"
| distinct SourceIPAddress, SourceIPLocation
| sort by SourceIPLocation asc

Explanation

This KQL query is designed to help identify and protect against SSH BruteForce attacks targeting your environment, leveraging Sentinel UEBA (User and Entity Behavior Analytics) threat intelligence data. Here's a simplified breakdown:

  1. Data Source: The query uses data from BehaviorAnalytics.
  2. Time Frame: It looks at data generated in the last 90 days.
  3. Threat Intelligence: It focuses on entries that have a description indicating a threat.
  4. SSH BruteForce Indicators: Specifically, it filters for threat descriptions that mention port 22 (the default SSH port) and indicate a BruteForce attack.
  5. Output: The query extracts and lists distinct IP addresses and their locations of the attackers.
  6. Sorting: Finally, it sorts the results by the location of the source IP addresses in ascending order.

By identifying these IP addresses, you can add them to your firewall block list to enhance protection against specific OpenSSH vulnerabilities (CVE-2024-6387 and CVE-2024-6409).

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

BehaviorAnalytics

Keywords

SentinelUEBAThreatIntelligenceDataIPAddressesSSHBruteForceCloudOn-PremisesEnvironmentFirewallBlockListProtectionOpenSSHVulnerabilityExploitsCVE-2024-6387CVE-2024-6409BehaviorAnalyticsDevicesInsightsSourceIPAddressSourceIPLocation

Operators

BehaviorAnalytics|where>ago( )extend=DevicesInsights.ThreatIntelIndicatorDescriptionisnotemptycontainsanddistinctsort byasc

Actions