What are reasons for brute force signature 40015 SSH Login Attempt in threat logs.

Possible reasons you are noticing Threat ID 40015 (SSH User Authentication Brute Force Attempt) denying/alerting on traffic.  https://threatvault.paloaltonetworks.com/?query=40015
 This signature triggers when threat id 31914 (SSH Login Attempt) triggers 20x within 60 seconds.
Unless the defaults have been changed. Threat id 31914 (the child signature) https://threatvault.paloaltonetworks.com/?query=31914  identifies an SSH version banner that is returned when a SSH login attempt occurs.
  

This can happen if an application is constantly being denied and re-attempts to login or login prompts happen 20x in 60 seconds. Recommendation is to gather packet captures and understand the nature of the traffic.
Is this a mis-configuration? Or normal traffic? Or an attempt to Brute force an SSH server.
 The only way to understand is by reviewing pcaps and understanding the context of the traffic with the system owners. Sometimes this can be normal and adjustments need to be made to the thresholds.
Other instances, it's a mis-configuration and adjustment needs to be made to the application. Or an actual attempt to exploit an SSH/2 server with multiple login attempts such as a password dictionary attack. It could also be normal traffic that coincidentally has the SSH banner string characters returned causing a trigger which is not related to the signatures true intention a "true positive" (unlikely but possible).

Brute Force Signature and Related Trigger Conditions

Change the Brute Force Trigger Criteria