---
title: Bruteforce attack
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Bruteforce attack
---

# Bruteforce attack
Tactic:[TA0042-resource_development](https://attack.mitre.org/tactics/TA0042)Technique:[T1586-compromise-accounts](https://attack.mitre.org/techniques/T1586) 
### Goal{% #goal %}

Detect Account Takeover (ATO) attempts on services. ATO attempts include [brute force](https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-007_Credential_Cracking.html), dictionary, and distributed [credential stuffing](https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-008_Credential_Stuffing.html) attacks.

This detection rule is designed to detect brute force attempts, where an attacker attempts to log in to a single account using different passwords, until it finds the correct one by chance.

### Required business logic events{% #required-business-logic-events %}

Datadog auto-instruments many event types. [Review](https://app.datadoghq.com/security/appsec/business-logic) your instrumented business logic events. This detection requires the following instrumented events:

- `users.login.failure`
- `users.login.success`

### Strategy{% #strategy %}

Monitor login events and track failed logins. Generate a `Low` severity signal when:

- a threshold of 40 failure logins are exceeded.
- a threshold of 20 failure logins are exceeded and the IPs are known offenders.

Increase signal severity to `Critical` and identify the compromised account when the IP address has a successful login to this same account.

### Triage and response{% #triage-and-response %}

1. Consider [blocking](https://docs.datadoghq.com/security/application_security/threats/#slow-down-attacks%5D) the attacking IP addresses temporarily to slow attacks.
1. Check compromised accounts, suspend account access temporarily, and force password change.
1. Implement and enable Multi-Factor Authentication (MFA) when possible.