immich-bf Configuration

« immich-bf »
v0.2 by gauth-fr
Attack scenarioremediation:trueservice:immichspoofable:0MITRE:T1110confidence:3

Detect immich bruteforce

Installation

cscli scenarios install gauth-fr/immich-bf

Description

Detect failed Immich authentications:

leakspeed of 20s, capacity of 5 on same target user
leakspeed of 1m, capacity of 5 unique distinct users

YAML Configuration

1# immich BF scan
2name: gauth-fr/immich-bf
3description: "Detect immich bruteforce"
4filter: "evt.Meta.log_type == 'immich_failed_auth'"
5#debug: true
6type: leaky
7groupby: evt.Meta.source_ip
8leakspeed: "20s"
9capacity: 5
10blackhole: 1m
11labels:
12  service: immich
13  confidence: 3
14  spoofable: 0
15  classification:
16    - attack.T1110
17  label: "Immich Bruteforce"
18  behavior: "http:bruteforce"
19  remediation: true
20---
21# immich user-enum
22type: leaky
23name: gauth-fr/immich-bf_user-enum
24description: "Detect immich user enum bruteforce"
25filter: "evt.Meta.log_type == 'immich_failed_auth'"
26groupby: evt.Meta.source_ip
27distinct: evt.Meta.user
28leakspeed: 10s
29capacity: 5
30blackhole: 1m
31labels:
32  service: immich
33  confidence: 3
34  spoofable: 0
35  classification:
36    - attack.T1589
37  label: "Immich Bruteforce"
38  behavior: "http:bruteforce"
39  remediation: true
40

Hub configuration

« immich-bf »v0.2 by gauth-frAttack scenarioremediation:trueservice:immichspoofable:0MITRE:T1110confidence:3

« immich-bf »
v0.2 by gauth-fr
Attack scenarioremediation:trueservice:immichspoofable:0MITRE:T1110confidence:3