The rule identifies potential SSH brute force attacks by monitoring for multiple consecutive login failures followed by a successful login from the same source IP address targeting a Linux host. SSH brute force attacks are common methods adversaries use to gain unauthorized access by guessing user passwords. This detection is based on the sequence of authentication events filtered by specific criteria: failures followed closely by a success, ensuring the timeframe is concise (maximum span of 15 seconds). The rule utilizes EQL (Event Query Language) to analyze events recorded within specific indexes related to authentication logs and executes a sequence check to identify alarming patterns. Given the importance of protecting sensitive systems that use SSH for access, the detection comes with a high level of severity and a risk score of 73, signaling a potentially serious vulnerability if successful. The rule assists in guiding investigation processes and appropriate responses to thwart unauthorized access and identify possible accounts compromised due to credential exposure.