Keycloak high number of error events from a realm
Set up the keycloak integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects when there is a high number of error events from a realm. A realm in Keycloak is an isolated space where users, apps, roles, and groups are managed.
Strategy
This rule monitors logs for a high number of error events from a realm.
Triage and Response
- Investigate the error event logs recorded for the system:
{{@syslog.hostname}} and within the realm: {{@realmName}}. - Examine the source and types of the detected error events.
- Determine whether the errors are originating from a specific user or client.
- Analyze if the errors are of a particular type to assess whether they indicate an attack or a misconfiguration issue.
- If the events are confirmed as an attack, take action to block the source to prevent further incidents.
- Notify affected users about the errors and advise them to take protective measures, such as changing their passwords if suspicious activity is confirmed.
- Consider conducting a thorough review of security configurations within the realm to identify any vulnerabilities.
