I'm new to ES. I have taken the ES Admin course so I probably shouldn't have to ask for help but I'm pulling my hair out.
I have a linux host running sshd, no firewall. This host has the universal forwarder sending events to the index cluster.
I have another linux host running a brute force attack against it.
Search in Splunk clearly shows the failed attempts, thousands of them.
In ES, I have enabled the "Brute Force Access Behavior Detected" correlation search, and added a Adaptive Response Action to create notable.
However, even though there are thousands of matching events, I never get a notable created.
SA_AccessProtection app is installed.
Any ideas of how to troubleshoot this, or what might be wrong greatly appreciated.
... View more