You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/case-study-linux-auth-bruteforce.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -119,7 +119,7 @@ These warnings are useful because they prevent silent overconfidence. A reviewer
119
119
120
120
## False-positive boundary
121
121
122
-
The findings should be read as triage statements:
122
+
The findings should be read as triage statements and checked against the rule-by-rule taxonomy in [`rule-catalog.md`](./rule-catalog.md):
123
123
124
124
-`203.0.113.10` is a documentation-range placeholder; in a real case, the same pattern could be an external scanner, shared gateway, internal test, or replayed lab traffic.
125
125
- Username spread supports a probing interpretation, but intent is not observable from these lines alone.
Copy file name to clipboardExpand all lines: docs/rule-catalog.md
+46Lines changed: 46 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,6 +39,19 @@ JSON findings include both the finding conclusion and the rule context used to r
39
39
40
40
For `multi_user_probing`, `observed_count` is the distinct username count, while `event_count` remains the number of attempt-evidence events in the selected window.
41
41
42
+
## False-Positive Taxonomy
43
+
44
+
The taxonomy names benign or ambiguous explanations a reviewer should consider before interpreting a finding. It is not an allow-list, suppression policy, or automatic disposition.
45
+
46
+
Each rule uses the same review buckets:
47
+
48
+
- NAT
49
+
- internal scanner
50
+
- lab replay
51
+
- shared bastion
52
+
- scheduled admin task
53
+
- malformed log replay
54
+
42
55
## Brute Force
43
56
44
57
### Rule name
@@ -85,6 +98,17 @@ This rule identifies concentrated failed SSH authentication evidence from one so
85
98
86
99
The finding is a triage signal. It is not a compromise verdict, attribution claim, or recommendation to block an address.
87
100
101
+
### False-positive taxonomy
102
+
103
+
| Bucket | Review interpretation |
104
+
| --- | --- |
105
+
| NAT | Multiple legitimate clients behind one egress address can collapse into one `source_ip`. |
106
+
| internal scanner | Authorized credential auditing or exposure scanning can intentionally generate repeated failures. |
107
+
| lab replay | Sanitized sample data, training fixtures, or repeated demos can preserve concentrated failure patterns. |
108
+
| shared bastion | A managed jump host or administrative relay can make many failed attempts appear to come from one source. |
109
+
| scheduled admin task | A recurring job with stale credentials can fail repeatedly inside the rule window. |
110
+
| malformed log replay | Duplicated or replayed log material can inflate apparent volume; unsupported malformed lines remain warnings and are not counted. |
111
+
88
112
### Why unsupported evidence is not counted
89
113
90
114
Unsupported lines are parser warnings, not `AuthSignal` records. They may appear in `top_unknown_patterns`, but they do not carry the `counts_as_terminal_auth_failure` flag required by this rule.
@@ -142,6 +166,17 @@ This rule identifies username spread from one source IP. Username spread can be
142
166
143
167
The rule does not infer intent. It only states that one source IP produced attempt evidence against multiple usernames inside the configured window.
144
168
169
+
### False-positive taxonomy
170
+
171
+
| Bucket | Review interpretation |
172
+
| --- | --- |
173
+
| NAT | Different users behind one egress address can look like one source probing multiple accounts. |
174
+
| internal scanner | Authorized username-enumeration tests or account-audit tooling can touch many usernames by design. |
175
+
| lab replay | Replayed lab logs can preserve synthetic username spread without representing live probing. |
176
+
| shared bastion | Shared administrative entry points can produce attempts for several accounts from one source IP. |
177
+
| scheduled admin task | Account validation, migration, or monitoring jobs can try multiple service or user accounts in one window. |
178
+
| malformed log replay | Replayed or partially malformed evidence can duplicate username variety; unsupported records remain parser warnings and do not add usernames. |
179
+
145
180
### Why unsupported evidence is not counted
146
181
147
182
Unsupported records do not provide normalized usernames, source IPs, or attempt-evidence flags. Counting them would turn parser uncertainty into detector confidence.
@@ -194,6 +229,17 @@ This rule identifies concentrated sudo command activity by one user. It does not
194
229
195
230
The finding is strongest when reviewed with session context, change windows, host ownership, and the command text preserved in the report.
196
231
232
+
### False-positive taxonomy
233
+
234
+
| Bucket | Review interpretation |
235
+
| --- | --- |
236
+
| NAT | Usually not a primary explanation because this rule groups by `username`, but it may matter when reviewed alongside source-IP findings. |
237
+
| internal scanner | Endpoint assessment, compliance checks, or privileged inventory tooling can run several sudo commands quickly. |
238
+
| lab replay | Demo or training logs can replay a compact privileged-command sequence. |
239
+
| shared bastion | Shared administrative accounts or jump-host workflows can concentrate privileged commands under one username. |
240
+
| scheduled admin task | Maintenance windows, package updates, service repair, or scripted operations can produce bursty sudo activity. |
241
+
| malformed log replay | Duplicated sudo lines or replayed command logs can inflate the command count; unsupported malformed sudo-like lines stay out of rule input. |
242
+
197
243
### Why unsupported evidence is not counted
198
244
199
245
Unsupported sudo-like lines are parser warnings, not sudo burst signals. They do not carry `counts_as_sudo_burst_evidence`.
0 commit comments