---
title: SSH password guessing notice from Zeek
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > SSH password guessing notice from Zeek
---

# SSH password guessing notice from Zeek
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1110-brute-force](https://attack.mitre.org/techniques/T1110) 
## Goal{% #goal %}

Detect the [SSH password guesser notice](https://docs.zeek.org/en/master/scripts/policy/protocols/ssh/detect-bruteforcing.zeek.html).

## Strategy{% #strategy %}

This rule monitors Zeek logs for the notice `SSH::Password_Guessing`. The notice is generated when a host exceeds the failed logins `SSH::password_guesses_limit` threshold.

## Triage and response{% #triage-and-response %}

1. Identify the owners of the host that has been accessed.
1. Work with the team to understand if this authentication was expected/legitimate.
1. If it is determined that the activity is malicious:
   - Block the IP address, if it aligns with organization incident response processes.
   - Begin your organization's incident response process and investigate.