Need Playbook to alert on ssh password failures

[mrapw]

using Security Onion 2.3.240. started using Security Onion quite recently so am quite new to this

I have various Windows and Linux agents (filebeat / winlogbeat) deployed and is sending logs to Security Onion, lots of playbooks enabled so all good.

for the filebeat agent on Linux one of the log paths is /var/log/auth.log
I need a playbook or something please which will generate a high priority alert for invalid logins over SSH. if I go into the Hunt area, I see the log entries but there is no alert generated. how can I set this up please?

example log entry below:

@Version 1
agent.ephemeral_id fc5e448a-ca0d-490c-8eb2-bf5096f2fd56
agent.id 1d4714bc-bece-405a-bc19-7510408cf384
agent.name nginx-server
agent.type filebeat
agent.version 8.6.2
ecs.version 8.0.0
host.architecture x86_64
host.containerized false
host.hostname nginx-server
host.id 947acdc82b2042e2b4f24a0d040dbcf7
host.ip [
"192.168.1.2"]
host.mac [
"01-02-03-04-05-06"
]
host.name nginx-server
host.os.codename buster
host.os.family debian
host.os.kernel 4.19.0-23-amd64
host.os.name Debian GNU/Linux
host.os.platform debian
host.os.type linux
host.os.version 10 (buster)
input.type filestream
log.file.path /var/log/auth.log
log.offset 18628
message May 9 14:14:34 nginx-server sshd[820]: Failed password for invalid user testuser from 10.1.2.3 port 57827 ssh2
metadata.beat filebeat
metadata.ip_address 192.168.1.2
metadata.type _doc
metadata.version 8.6.2
observer.name nginx-server
tags [
"beat-ext",
"beats_input_codec_plain_applied"
]
soc_id tpSmAIgBmEIVBhTtUic9
soc_score 7.0966616
soc_type
soc_timestamp 2023-05-09T13:14:35.605Z
soc_source security-onion:so-beats-2023.05.09

[mrapw]

sorted it, this works

title: Invalid SSH Password
description: Detects failed password attempts for invalid SSH users
author: me
logsource:
category: authentication
detection:
selection:
message: 'sshd: Failed password for invalid user*'
condition: selection
level: high