Brute Force SSH

Low Open

ALR-00089 · 2026-05-23T18:31:16Z

Description

Multiple failed SSH login attempts detected on WS-LAP-012 from external IP. Attack Surface Scanner flagged 47 attempts in 5 minutes targeting user 'l.johnson'.

Alert Metadata

Alert ID: ALR-00089
Timestamp: 2026-05-23T18:31:16Z
Severity: Low
Status: Open
Detection Source: Attack Surface Scanner
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: WS-LAP-012
User Account: l.johnson
Source IP: 103.207.216.153
Destination IP: 10.0.18.92
Origin Country: FR France

MITRE ATT&CK Mapping

Tactic: Credential Access
Technique: T1110.001
Reference: attack.mitre.org/techniques/T1110.001

Investigation Timeline

18:31:16 Event ingested by SOC365 Engine

18:31:21 EmilyAI triage started — correlation enrichment

18:31:24 EmilyAI confidence: 80% — escalated to human analyst

18:31:59 Alert assigned to analyst: EmilyAI (auto)

18:32:28 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00275	43m ago	Brute Force SSH	Low	Open	WS-LAP-011
ALR-00448	3h ago	Brute Force SSH	Low	Open	SRV-MAIL-01
ALR-00045	5h ago	Brute Force SSH	Informational	Investigating	WS-PC-002
ALR-00241	7h ago	Rogue DHCP Server	Medium	False Positive	WS-LAP-012
ALR-00348	11h ago	Pass-the-Hash Detected	Low	False Positive	WS-LAP-012