ssh_external_internal
Explanation
The ssh_external_internal event monitors for successful SSH connections from external sources to internal destinations. This is an important security event to monitor since successful external SSH connections could indicate a potential security breach.
What to Look For
When examining the results of the ssh_external_internal event, look for successful SSH connections originating from external IP addresses to internal IP addresses. Verify the destination IP address is a legitimate internal resource. As this event relates to SSH, it is important to examine the activity on both the network and the endpoint for signs of unauthorized access or exfiltration of sensitive data. Immediate response and investigation are recommended, as successful SSH connections from external sources may signal a security breach and require remedial action.
Related MITRE ATT&CK Categories
Exfiltration Over Alternative Protocol, Technique T1048 - Enterprise
Ingress Tool Transfer, Techniques T1105
Remote Services, Techniques T1021
Updated 4 days ago