Keycloak multiple login error events from the same IP address

This rule is part of a beta feature. To learn more, contact Support.
keycloak

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the keycloak integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when there are multiple login error events generated by the same IP address.

Strategy

This rule lets you monitor multiple events related to a login error type from the same IP address.

Triage and response

  1. Examine the login error events and assess the source: {{@network.client.ip}} and on realm: {{@realmName}}.
  2. Identify the users impacted by these login error events.
  3. Block the IP address where these events are originating.
  4. Temporarily suspend the accounts of affected users to mitigate potential malicious activity.
  5. Initiate a password reset for the affected users.