This detection rule identifies potential brute force login attempts on Linux SSH accounts by monitoring consecutive login failures from the same source IP address targeting a specific user account. The rule uses the EQL (Event Query Language) to capture sequences of authentication failures within a brief time frame (maximum of 15 seconds). It specifically looks for failed SSH login attempts while excluding designated local and private IP address ranges to avoid false positives typically generated by internal services. The potential risk indicated by this rule is categorized as low, making it effective at identifying unauthorized access attempts without overwhelming alerts. Users are advised to consider their environment's context—particularly those with publicly accessible SSH services—since they may experience a higher volume of false alarms. It includes recommendations for triage, false positive analyses, related rules for further investigation, and procedural responses for incident handling.