Repeated failed logins or possible denial of service attack

The Security Incidents: repeated failed logins or possible denial of service attack template looks for repeated failed logins or possible denial of service attacks for both database and administrative users.

Many rules include the MARK SESSION action, which sets the trust for this session to LOW and generates an exception in the Security Incidents report.
Note: The security incident policies analyze authentication methods, but do not log or analyze passwords.

The Security Incidents: repeated failed logins or possible denial of service attack template contains the following rules:

Populate analyzed client IP if both client IP and analyzed client IP are empty
This rule uses a TRANSFORM action to move the IP address from HOST NAME to ANALYZED_CLIENT_IP.
Populate analyzed client IP if both client IP and analyzed client IP are empty and session identified as local
This rule uses a TRANSFORM action to move the IP address from SERVER IP to ANALYZED_CLIENT_IP.
Repeated failed login per Actual client IP and user (5 in 3 minutes)
This rule generates a security incident for repeated failed log-ins.
This rule generates exception messages in the Security Incident report for each unique DB_USER and ACTUAL_CLIENT_IP.
Possible denial of service attack (20 in 1 minute)
A shared machine used as a client for multiple users can indicate a denial of service (DOS) attack and generates a security incident.
This rule requires that the populate rules (Populate ANALYZED_CLIENT_IP if both CLIENT_IP and ANALYZED_CLIENT_IP are empty and Populate ANALYZED_CLIENT_IP if both CLIENT_IP and ANALYZED_CLIENT_IP are empty and session identified as local) are also installed.
This rule generates exception messages in the Security Incident report when 20 DB_USERS connect from a single ACTUAL_CLIENT_IP to a single SERVER_IP within a 1-minute period.
Possible admin user denial of service attack (20 in 1 minute)
A shared machine used as a client for multiple users can indicate a denial of service (DOS) attack and generates a security incident.
This rule requires that the populate rules (Populate ANALYZED_CLIENT_IP if both CLIENT_IP and ANALYZED_CLIENT_IP are empty and Populate ANALYZED_CLIENT_IP if both CLIENT_IP and ANALYZED_CLIENT_IP are empty and session identified as local) are also installed.
This rule generates exception messages in the Security Incident report when 20 DB_USERS connect from a single ACTUAL_CLIENT_IP to a single SERVER_IP within a 1-minute period.
Prerequisite: Admin users group.