For Linux Systems:
SSH Failed Logins:
This gets triggered when someone tries to log into a Linux server via SSH (for
example, using PuTTY).
Privilege Escalation Failures: This happens when a user or local account tries to run a command with elevated privileges (using sudo)
Analysis:
Check the account activity over the last day to see if there were any password change events.
If you find a successful password change followed by login failures, it might be due to a syncing or
credential issue, not necessarily a security problem.
If everything lines up and there's no suspicious activity, you can wrap up the investigation and close
the case.
Mitigation:
Reach out to the user or service account owner to confirm if the failed login attempts are expected. If
they recognize these attempts as legitimate, you can close the incident. However, if the logins seem
unfamiliar, the password should be reset. Here’s how to proceed:
• For administrative accounts, send the incident to the Windows team.
• For regular user accounts, direct the incident to the Service Desk team for a password reset.
Its all based on organization scope
