Hub configuration

More info

opensearch-dashboard-bf Scenario

« OpenSearch Bruteforce »
v0.1 by bouddha-fr / opensearch-dashboard-bf
Attack scenarioopensearchNot spoofableHigh confidence

Detect bruteforce attempts on OpenSearch web interface

Installation

cscli scenarios install bouddha-fr/opensearch-dashboard-bf

Description

Detect failed OpenSearch dashboard authentications:

leakspeed of 10s, capacity of 5 from same IP

YAML Configuration

1# OpenSearch web auth bruteforce
2type: leaky
3name: bouddha-fr/opensearch-dashboard-bf
4description: "Detect bruteforce attempts on OpenSearch web interface"
5filter: evt.Meta.log_type == 'opensearch_failed_auth'
6leakspeed: "10s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10labels:
11  remediation: true
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  behavior: "http:bruteforce"
17  label: "OpenSearch Bruteforce"
18  service: opensearch
19

Hub configuration

« OpenSearch Bruteforce »v0.1 by bouddha-fr / opensearch-dashboard-bfAttack scenarioOpenSearchopensearchNot spoofableHigh confidenceMITRE:T1110

« OpenSearch Bruteforce »
v0.1 by bouddha-fr / opensearch-dashboard-bf
Attack scenarioopensearchNot spoofableHigh confidence