[metadata] creation_date = "2020/07/08" deprecation_date = "2022/07/25" maturity = "deprecated" updated_date = "2022/07/25" [rule] author = ["Elastic"] description = "Identifies that the maximum number of failed login attempts has been reached for a user." index = ["auditbeat-*"] language = "kuery" license = "Elastic License v2" name = "Auditd Max Failed Login Attempts" references = [ "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574", ] risk_score = 47 rule_id = "fb9937ce-7e21-46bf-831d-1ad96eac674d" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] timestamp_override = "event.ingested" type = "query" query = ''' event.module:auditd and event.action:"failed-log-in-too-many-times-to" ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/"