ssh_external_internal

Explanation

The ssh_external_internal event monitors for successful SSH connections from external sources to internal destinations. This is an important security event to monitor since successful external SSH connections could indicate a potential security breach.

What to Look For

When examining the results of the ssh_external_internal event, look for successful SSH connections originating from external IP addresses to internal IP addresses. Verify the destination IP address is a legitimate internal resource. As this event relates to SSH, it is important to examine the activity on both the network and the endpoint for signs of unauthorized access or exfiltration of sensitive data. Immediate response and investigation are recommended, as successful SSH connections from external sources may signal a security breach and require remedial action.

Related MITRE ATT&CK Categories

Exfiltration Over Alternative Protocol, Technique T1048 - Enterprise

Ingress Tool Transfer, Techniques T1105

Remote Services, Techniques T1021