I had a “Groundhog” kind of day investigating detections recently for a higher-ed customer.
For any security team, validating an incident, up or down, is hugely valuable. For each incident you’re unsure of, you’re wasting precious time and resources.
This one started with detection of an LDAP credentials error. No one knew what the device was, and our related detections view showed this device had a “Spike in SSH Sessions” detection three days prior. Secure shell protocol (SSH) is a common application protocol for secure network communications. Its functions include remote access and remote command execution. With these SSH sessions, a user can control and modify remote servers online.