OSSEC Alert: Multiple authentication failures

This rule is part of a beta feature. To learn more, contact Support.

Goal

Detect when multiple failed authentication attempts are detected by OSSEC.

Strategy

This rule lets you monitor if there are multiple authentication failures in a limited time interval.

Triage and Response

  1. Check the activity detected on the System: {{@syslog.hostname}}.

  2. Analyze the rule that triggered along with the brief description and log message attached with the log:

    • Rule ID: {{@rule_id}}
    • Description: {{@description}}
    • Log Message: {{@log}}
  3. Inform your administrator to take further action for the detected failed activity.