[metadata] creation_date = "2020/07/08" deprecation_date = "2022/07/25" maturity = "deprecated" updated_date = "2022/07/25" [rule] author = ["Elastic"] description = "Identifies that the maximum number login sessions has been reached for a user." index = ["auditbeat-*"] language = "kuery" license = "Elastic License v2" name = "Auditd Max Login Sessions" references = [ "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007", ] risk_score = 47 rule_id = "20dc4620-3b68-4269-8124-ca5091e00ea8" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "query" query = ''' event.module:auditd and event.action:"opened-too-many-sessions-to" ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/"