Brute Force SSH

Medium False Positive

ALR-00042 · 2026-05-27T14:59:17Z

Description

Multiple failed SSH login attempts detected on SRV-WEB-01 from external IP. Attack Surface Scanner flagged 47 attempts in 5 minutes targeting user 'j.smith'.

Alert Metadata

Alert ID: ALR-00042
Timestamp: 2026-05-27T14:59:17Z
Severity: Medium
Status: False Positive
Detection Source: Attack Surface Scanner
Assigned Analyst: James Okonkwo

Endpoint Information

Hostname: SRV-WEB-01
User Account: j.smith
Source IP: 91.185.195.149
Destination IP: 10.1.189.135
Origin Country: GB United Kingdom

MITRE ATT&CK Mapping

Tactic: Credential Access
Technique: T1110.001
Reference: attack.mitre.org/techniques/T1110.001

Investigation Timeline

14:59:17 Event ingested by SOC365 Engine

14:59:19 EmilyAI triage started — correlation enrichment

14:59:25 EmilyAI confidence: 93% — escalated to human analyst

14:59:46 Alert assigned to analyst: James Okonkwo

15:00:40 Investigation started — querying SIEM and threat intelligence

15:08:00 Containment action taken — endpoint isolated

15:16:37 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00181	2h ago	Unauthorised USB Device	Low	Escalated	SRV-WEB-01
ALR-00061	2h ago	Failed MFA Challenge	Low	Resolved	SRV-WEB-01
ALR-00332	5h ago	Brute Force SSH	High	Open	SRV-APP-01
ALR-00185	8h ago	Lateral Movement Detected	Low	Resolved	SRV-WEB-01
ALR-00465	10h ago	Brute Force SSH	Informational	Resolved	SRV-SQL-01