thehive-bf Scenario

« thehive-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3

Detect bruteforce on Thehive web interface

Installation

cscli scenarios install crowdsecurity/thehive-bf

Description

Detect failed Thehive authentications:

leakspeed of 10s, capacity of 5 from same IP

YAML Configuration

1type: leaky
2debug: false
3name: crowdsecurity/thehive-bf
4description: "Detect bruteforce on Thehive web interface"
5filter: evt.Meta.log_type == 'thehive_failed_auth'
6leakspeed: "10s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 5m
10labels:
11  service: http
12  confidence: 3
13  spoofable: 0
14  classification:
15    - attack.T1110
16  behavior: "http:bruteforce"
17  label: "The Hive Bruteforce"
18  remediation: true
19

Hub configuration

« thehive-bf »v0.3 by crowdsecurityAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3

« thehive-bf »
v0.3 by crowdsecurity
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3