ombi-bf Scenario

« ombi-bf »
v0.2 by LePresidente
Attack scenarioremediation:trueservice:ombispoofable:0MITRE:T1110confidence:3

Detect Ombi bruteforce

Installation

cscli scenarios install LePresidente/ombi-bf

Description

Detect failed emby authentications:

leakspeed of 1m, capacity of 5 on same target ip

YAML Configuration

1# emby bruteforce
2type: leaky
3name: LePresidente/ombi-bf
4description: "Detect Ombi bruteforce"
5filter: "evt.Meta.log_type == 'ombi_auth_failed'"
6leakspeed: 1m
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10reprocess: true
11labels:
12  service: ombi
13  behavior: "http:bruteforce"
14  spoofable: 0
15  confidence: 3
16  classification:
17    - attack.T1110
18  label: "Ombi Bruteforce"
19  remediation: true
20

Hub configuration

« ombi-bf »v0.2 by LePresidenteAttack scenarioremediation:trueservice:ombispoofable:0MITRE:T1110confidence:3

« ombi-bf »
v0.2 by LePresidente
Attack scenarioremediation:trueservice:ombispoofable:0MITRE:T1110confidence:3