Brute Force SSH

Low Investigating

ALR-00293 · 2026-05-23T13:11:27Z

Description

Multiple failed SSH login attempts detected on SRV-APP-01 from external IP. Dark Web Monitor flagged 47 attempts in 5 minutes targeting user 'p.thomas'.

Alert Metadata

Alert ID: ALR-00293
Timestamp: 2026-05-23T13:11:27Z
Severity: Low
Status: Investigating
Detection Source: Dark Web Monitor
Assigned Analyst: EmilyAI (auto)

Endpoint Information

Hostname: SRV-APP-01
User Account: p.thomas
Source IP: 194.75.62.117
Destination IP: 10.0.162.110
Origin Country: VN Vietnam

MITRE ATT&CK Mapping

Tactic: Credential Access
Technique: T1110.001
Reference: attack.mitre.org/techniques/T1110.001

Investigation Timeline

13:11:27 Event ingested by SOC365 Engine

13:11:29 EmilyAI triage started — correlation enrichment

13:11:42 EmilyAI confidence: 85% — escalated to human analyst

13:11:51 Alert assigned to analyst: EmilyAI (auto)

13:13:01 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00001	14h ago	Unusual Outbound Traffic	Medium	False Positive	SRV-APP-01
ALR-00466	22h ago	Brute Force SSH	Critical	Escalated	WS-LAP-011
ALR-00488	1d ago	Brute Force SSH	Low	Escalated	WS-MAC-005
ALR-00212	1d ago	Unusual Outbound Traffic	Low	Investigating	SRV-APP-01
ALR-00223	1d ago	Kerberoasting Attempt	Medium	Open	SRV-APP-01