Brute Force SSH

Medium False Positive

ALR-00408 · 2026-05-23T22:15:20Z

Description

Multiple failed SSH login attempts detected on SRV-WEB-01 from external IP. EmilyAI Triage flagged 47 attempts in 5 minutes targeting user 'a.wilson'.

Alert Metadata

Alert ID: ALR-00408
Timestamp: 2026-05-23T22:15:20Z
Severity: Medium
Status: False Positive
Detection Source: EmilyAI Triage
Assigned Analyst: Marcus Webb

Endpoint Information

Hostname: SRV-WEB-01
User Account: a.wilson
Source IP: 185.194.220.87
Destination IP: 10.0.189.48
Origin Country: IR Iran

MITRE ATT&CK Mapping

Tactic: Credential Access
Technique: T1110.001
Reference: attack.mitre.org/techniques/T1110.001

Investigation Timeline

22:15:20 Event ingested by SOC365 Engine

22:15:21 EmilyAI triage started — correlation enrichment

22:15:28 EmilyAI confidence: 94% — escalated to human analyst

22:15:53 Alert assigned to analyst: Marcus Webb

22:17:37 Investigation started — querying SIEM and threat intelligence

22:20:39 Containment action taken — endpoint isolated

22:27:17 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00160	7h ago	Brute Force SSH	Medium	Resolved	WS-PC-006
ALR-00112	7h ago	Tor Exit Node Connection	Informational	Resolved	SRV-WEB-01
ALR-00407	11h ago	C2 Beacon Activity	Medium	Escalated	SRV-WEB-01
ALR-00013	11h ago	Brute Force SSH	Low	Escalated	AP-WIFI-03
ALR-00305	13h ago	Brute Force SSH	Low	Escalated	SRV-BACKUP-01