Keycloak high number of error events from a realm
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when there is a high number of error events from a realm. A realm in Keycloak is an isolated space where users, apps, roles, and groups are managed.
Strategy
This rule monitors logs for a high number of error events from a realm.
Triage and Response
- Investigate the error event logs recorded for the system:
{{@syslog.hostname}}
and within the realm: {{@realmName}}
. - Examine the source and types of the detected error events.
- Determine whether the errors are originating from a specific user or client.
- Analyze if the errors are of a particular type to assess whether they indicate an attack or a misconfiguration issue.
- If the events are confirmed as an attack, take action to block the source to prevent further incidents.
- Notify affected users about the errors and advise them to take protective measures, such as changing their passwords if suspicious activity is confirmed.
- Consider conducting a thorough review of security configurations within the realm to identify any vulnerabilities.