In Part 4 of the blog series on integrating Elasticsearch with ArcSight SIEM, the focus is on setting up alert systems for detecting successful brute force SSH login attempts using Elasticsearch's X-Pack. The post details a complex process of identifying suspicious login patterns, specifically multiple failed login attempts followed by a successful one within a defined time window, using Elasticsearch aggregations and Painless scripting. The watch, or alert, is configured to assess login data, identify potential brute force attacks, and prevent duplicate alerts by indexing detected threats. The document also outlines steps for transforming and logging alerts and suggests enhancements like adding server-specific analysis and integrating with notification systems for better real-time alerting. This setup highlights the benefits of automated anomaly detection through machine learning, which simplifies the process by reducing the need for complex rule definitions.