This rule detects potential RDP brute force attacks on Linux systems by monitoring for a sequence of multiple failed authentication attempts followed by a successful login for a specific user within a short time span. The rule operates by using EQL (Event Query Language) to analyze authentication events logged by the Auditbeat and Auditd Manager integrations, focusing on login attempts targeting RDP. When an adversary attempts to access a remote computer via RDP, they may use brute force methods, such as trying various combinations of usernames and passwords. This behavior, if successful, can result in unauthorized access to the system, data breaches, and further exploitation of the network. The rule sets a threshold for ten consecutive failed attempts followed by a successful attempt, gaining alerts on possible brute force activity. The investigation guide provided helps security teams take appropriate actions to validate the findings, mitigate risks, and improve security protocols.