Hub configuration

More info

technitium-bf Scenario

« technitium-bf »
v0.1 by PintjesB
Attack scenarioremediation:trueservice:technitiumspoofable:0MITRE:T1110confidence:3

Detect Technitium bruteforce attacks

Installation

cscli scenarios install PintjesB/technitium-bf

Description

Scenario to trigger when a certain IP has too many failed auths.

YAML Configuration

1# Technitium bruteforce
2type: leaky
3name: PintjesB/technitium-bf
4description: "Detect Technitium bruteforce attacks"
5filter: "evt.Meta.log_type == 'technitium_failed_auth'"
6leakspeed: 1m
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10reprocess: true
11labels:
12  service: technitium
13  spoofable: 0
14  confidence: 3
15  classification:
16    - attack.T1110
17  label: "Technitium bruteforce"
18  behavior: "http:bruteforce"
19  remediation: true
20

Hub configuration

« technitium-bf »v0.1 by PintjesBAttack scenarioremediation:trueservice:technitiumspoofable:0MITRE:T1110confidence:3

« technitium-bf »
v0.1 by PintjesB
Attack scenarioremediation:trueservice:technitiumspoofable:0MITRE:T1110confidence:3