daily_brief
Run a morning health check on Keycloak to review login, session, password, and admin events, flagging possible brute-force attacks.
Instructions
Run a morning Keycloak health check.
Checks (all scoped to the last since_hours hours):
Login statistics (success / failure totals, top failing IPs)
Active sessions by client
Password update events
Admin events (CREATE/UPDATE/DELETE on USER/CLIENT resources)
A single IP with login failures >= ip_failure_threshold is flagged
as WARNING (possible brute-force).
since_hours defaults to 18 (≈ previous 15:00 for a 09:00 morning run).
Output tiers:
CRITICAL — API connection failure
WARNING — anomalies detected
OK — clean
Args: since_hours: Look-back window in hours (default 18). ip_failure_threshold: Login failures from a single IP that triggers a WARNING (default 50).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| since_hours | No | ||
| ip_failure_threshold | No |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |