---
title: Successful brute force attempt on Oracle fusion app
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Successful brute force attempt on
  Oracle fusion app
---

# Successful brute force attempt on Oracle fusion app

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1110-brute-force](https://attack.mitre.org/techniques/T1110) 
## Goal{% #goal %}

Detect a successful brute force attack against an Oracle Fusion application by identifying multiple failed login attempts followed by a successful login from the same user.

## Strategy{% #strategy %}

This rule monitors Oracle Fusion audit logs (`source:oracle-fusion` and `service:oracle-fusion-audit`) for `USER_LOGIN` events. It triggers a Medium severity signal when a user accumulates five or more failed login attempts and then successfully authenticates within a 5-minute window, indicating a likely successful brute-force or credential-stuffing attack.

## Triage and Response{% #triage-and-response %}

1. Identify the affected user `{{@usr.name}}` and review the full login history for the account.
1. Determine whether the successful login originated from a known or expected IP address and location.
1. Check for any post-authentication activity such as data access, privilege escalation, or configuration changes.
1. If unauthorized access is confirmed, disable the account and revoke active sessions immediately.
1. Escalate to your incident response process and notify the account owner to reset credentials.
