Login failures are stored in various places. We should be able to alert when the number of failures suddenly increases, as we would typically see for password brute forcing.
Failed password attempts for privileged accounts are logged in elastic search. Yelp uses elastic search and elastalert (https://github.com/yelp/elastalert) to detect brute forcing, we could do similar.
In response to the alert, we can start with alerting the security team / ops. If the alerts look reliable, we can add alerting for the account being brute forced. If that appears to reliably detect brute-forcing, we could in the future automatically block the IP from logging in for a short period of time.