Creating the rule

When an event matches any kind of authentication failure AND it happens five times by the same user in the space of one minute, then the offense will trigger.

Rule summary

Testing the rule

Attempting to trigger the offense by failing remote SSH login.

Offense triggered...

Offense Summary

User login failed, SSH login failed, and by who, all specified by the offense.

Payload information