Keycloak multiple login error events from the same IP address

This rule is part of a beta feature. To learn more, contact Support.
keycloak

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the keycloak integration.

Goal

Detects when there are multiple login error events generated by the same IP address.

Strategy

This rule lets you monitor multiple events related to a login error type from the same IP address.

Triage and response

  1. Examine the login error events and assess the source: {{@network.client.ip}} and on realm: {{@realmName}}.
  2. Identify the users impacted by these login error events.
  3. Block the IP address where these events are originating.
  4. Temporarily suspend the accounts of affected users to mitigate potential malicious activity.
  5. Initiate a password reset for the affected users.