cscli scenarios install hitech95/mail-generic-bfAlert when a single IP that try to bruteforce email (SMTP, IMAP, POP) auth.
1# Global brouteforce2type: leaky3#debug: true4name: hitech95/email-generic-bf5description: "Detect generic email brute force"6filter: "evt.Meta.log_type == 'mail_auth' && evt.Meta.sub_type == 'auth_fail'"7groupby: evt.Meta.source_ip8capacity: 59leakspeed: "10s"10blackhole: 1m11labels:12 service: pop3/imap13 confidence: 314 spoofable: 015 classification:16 - attack.T111017 behavior: "pop3/imap:bruteforce"18 label: "POP3/IMAP Bruteforce"19 remediation: true20---21# Per user brouteforce22type: leaky23#debug: true24name: hitech95/email-user-bf25description: "Detect specific user email brute force"26filter: "evt.Meta.log_type == 'mail_auth' && evt.Meta.sub_type == 'auth_fail'"27groupby: evt.Meta.source_ip28distinct: evt.Meta.username29capacity: 330leakspeed: "30s"31blackhole: 1m32labels:33 service: pop3/imap34 confidence: 335 spoofable: 036 classification:37 - attack.T1589.00238 - attack.T111039 behavior: "pop3/imap:bruteforce"40 label: "Mail User Enum Bruteforce"41 remediation: true42