appsec-vpatch Scenario

« appsec-vpatch »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3

Identify attacks flagged by CrowdSec AppSec

Installation

cscli scenarios install crowdsecurity/appsec-vpatch

YAML Configuration

1type: leaky
2format: 3.0
3name: crowdsecurity/appsec-vpatch
4description: "Identify attacks flagged by CrowdSec AppSec"
5## See appsec-native.yaml for reasons why we created a negative startsWith here, we want to ignore is native_rules but catch any of our DSL rules.
6filter: "evt.Meta.log_type == 'appsec-block' && evt.Meta.rule_name not startsWith 'native_rule'"
7distinct: evt.Meta.rule_name
8leakspeed: "60s"
9capacity: 1
10groupby: evt.Meta.source_ip
11blackhole: 1m
12labels:
13  service: http
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1110
18  label: "Blocked by CrowdSec AppSec"
19  behavior: "http:exploit"
20  remediation: true
21

Hub configuration

« appsec-vpatch »v0.6 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3

« appsec-vpatch »
v0.6 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3