title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
logsource:
    product: linux
    service: auth
detection:
    selection:
        pam_message: "authentication failure"
        pam_user: '*'
        pam_rhost: '*'
    timeframe: 24h 
    condition: selection | count(pam_user) by pam_rhost > 3
falsepositives:
    - Terminal servers
    - Jump servers
    - Workstations with frequently changing users 
level: medium