paperless-ngx-bf Scenario

« paperless-ngx-bf »
v0.3 by andreasbrett
Attack scenarioremediation:trueservice:paperless-ngxspoofable:0MITRE:T1110confidence:3

Detect Paperless-ngx bruteforce attacks

Installation

cscli scenarios install andreasbrett/paperless-ngx-bf

Description

Detect failed Paperless-ngx authentications:

leakspeed of 1m, capacity of 5 on source ip
leakspeed of 1m, capacity of 5 on source ip and unique distinct users

YAML Configuration

1# Paperless-ngx bruteforce
2type: leaky
3name: andreasbrett/paperless-ngx-bf
4description: "Detect Paperless-ngx bruteforce attacks"
5filter: "evt.Meta.log_type == 'paperless_ngx_failed_auth'"
6leakspeed: 1m
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10reprocess: true
11labels:
12    service: paperless-ngx
13    confidence: 3
14    spoofable: 0
15    classification:
16        - attack.T1110
17    label: "Paperless-ngx Bruteforce"
18    behavior: "http:bruteforce"
19    remediation: true
20---
21# Paperless-ngx user-enum
22type: leaky
23name: andreasbrett/paperless-ngx-bf_user-enum
24description: "Detect Paperless-ngx user enum bruteforce"
25filter: "evt.Meta.log_type == 'paperless_ngx_failed_auth'"
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.username
28leakspeed: 1m
29capacity: 5
30blackhole: 5m
31labels:
32    service: paperless-ngx
33    confidence: 3
34    spoofable: 0
35    classification:
36        - attack.T1589
37    label: "Paperless-ngx User Enumeration"
38    behavior: "http:bruteforce"
39    remediation: true
40

Hub configuration

« paperless-ngx-bf »v0.3 by andreasbrettAttack scenarioremediation:trueservice:paperless-ngxspoofable:0MITRE:T1110confidence:3

« paperless-ngx-bf »
v0.3 by andreasbrett
Attack scenarioremediation:trueservice:paperless-ngxspoofable:0MITRE:T1110confidence:3