emby-bf Configuration

« emby-bf »
v0.2 by LePresidente
Attack scenarioremediation:trueservice:embyspoofable:0MITRE:T1110confidence:3

Detect emby bruteforce

Installation

cscli scenarios install LePresidente/emby-bf

Description

Detect failed emby authentications:

leakspeed of 1m, capacity of 5 on same target ip

YAML Configuration

1# emby bruteforce
2type: leaky
3name: LePresidente/emby-bf
4description: "Detect emby bruteforce"
5filter: "evt.Meta.log_type == 'emby_failed_auth'"
6leakspeed: 1m
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10reprocess: true
11labels:
12  service: emby
13  behavior: "http:bruteforce"
14  classification:
15    - attack.T1110
16  spoofable: 0
17  confidence: 3
18  label: "Emby Bruteforce"
19  remediation: true
20

Hub configuration

« emby-bf »v0.2 by LePresidenteAttack scenarioremediation:trueservice:embyspoofable:0MITRE:T1110confidence:3

« emby-bf »
v0.2 by LePresidente
Attack scenarioremediation:trueservice:embyspoofable:0MITRE:T1110confidence:3