This playbook provides systematic remediation steps to investigate incidents of brute force attempts on the login pages from multiple IPs detected by ModSec. The event conditions could be set at the ModSec policy itself and will raise an alert at Splunk when the event is created at ModSec.

This playbook helps in detecting abnormal traffic counts on the login page. In this example, two successive bursts of more than 50 hits/minute should be from an IP to the login page, which indicates a brute-force attempt to log in.