text code block:`esxi_syslog` Message="*Authentication failure for*" | rex "for (?<user>[\w]+) from (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | bin _time span=5m | stats min(_time) as firstTime max(_time) as lastTime count by user, src_ip, dest | where count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_ssh_brute_force_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).