The detection rule identifies potential brute force attacks against FTP servers on Linux systems. It works by monitoring for multiple consecutive failed authentication attempts for a specific user account from the same source address, followed by a successful login within a short time frame. This behavior is typical of attackers who systematically try various username and password combinations to gain access. The rule uses an EQL (Event Query Language) sequence to analyze authentication events, ensuring that it detects failed logins originating from a valid source prior to a successful login. This comprehensive approach mitigates the risk of unauthorized access to sensitive data by alerting security personnel of possible intrusions. The rule operates with a risk score of 47 and leverages data from either the Auditbeat or Auditd Manager integrations, requiring minimal additional configuration for effective detection.