During a routine SIEM monitoring shift, the SOC dashboard flagged 847 failed SSH authentication attempts against a Linux server (192.168.10.50) from a single external IP over a 4-minute window. The correlation rule threshold — more than 10 failed attempts per 60 seconds — was exceeded.
Determine whether the failures represent a genuine brute force attack. Identify attacker IP, attack pattern, assess credential compromise, and produce containment + detection improvements.
SIEM alert "SSH_BRUTE_FORCE_THRESHOLD_EXCEEDED" — 847 failed attempts from 45.142.212.100 in 4 minutes. Classified True Positive based on volume and pattern.
Splunk query: index=linux sourcetype=syslog "Failed password" | stats count by src_ip, user. Identified systematic username enumeration — root, admin, ubuntu, pi. Pattern consistent with Hydra/Medusa (avg 287ms between attempts).
AbuseIPDB confidence score 98% — 312 reports in 30 days for SSH scanning. Whois: AS198605 — Atlex.ru, Russia. VPS provider associated with attack infrastructure.
Cross-referenced auth.log for "Accepted" events. Result: Zero successful authentications. No lateral movement detected in subsequent Sysmon logs.
Firewall block: iptables -A INPUT -s 45.142.212.100 -p tcp --dport 22 -j DROP. Recommended: SSH key-only auth, fail2ban, non-standard SSH port.
Finding: Confirmed automated SSH brute force from threat actor infrastructure. No credentials compromised. Attack contained within 6 minutes of initial alert triage.