Brute Force SSH

Medium Open

ALR-00334 · 2026-04-10T14:34:47Z

Description

Multiple failed SSH login attempts detected on SRV-MAIL-01 from external IP. Cloud Connector flagged 47 attempts in 5 minutes targeting user 'c.williams'.

Alert Metadata

Alert ID: ALR-00334
Timestamp: 2026-04-10T14:34:47Z
Severity: Medium
Status: Open
Detection Source: Cloud Connector
Assigned Analyst: Marcus Webb

Endpoint Information

Hostname: SRV-MAIL-01
User Account: c.williams
Source IP: 185.26.220.88
Destination IP: 10.2.217.135
Origin Country: KP North Korea

MITRE ATT&CK Mapping

Tactic: Credential Access
Technique: T1110.001
Reference: attack.mitre.org/techniques/T1110.001

Investigation Timeline

14:34:47 Event ingested by SOC365 Engine

14:34:51 EmilyAI triage started — correlation enrichment

14:34:59 EmilyAI confidence: 79% — escalated to human analyst

14:35:19 Alert assigned to analyst: Marcus Webb

14:36:03 Investigation started — querying SIEM and threat intelligence

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00025	4h ago	Brute Force SSH	Low	Resolved	FW-EDGE-01
ALR-00454	8h ago	Suspicious PowerShell Execution	Informational	Escalated	SRV-MAIL-01
ALR-00157	17h ago	Brute Force SSH	Low	Open	WS-LAP-011
ALR-00280	19h ago	Anomalous DNS Query	Informational	False Positive	SRV-MAIL-01
ALR-00316	23h ago	DecoyPulse Honeypot Triggered	Low	Open	SRV-MAIL-01