mailu-admin-bf Scenario

« mailu-admin-bf »
v0.2 by mwinters-stuff
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3

Detect mailu admin bruteforce

Installation

cscli scenarios install mwinters-stuff/mailu-admin-bf

Description

Detects the brute force attacks on the mailu admin container.

YAML Configuration

1# mailu-admin bruteforce
2type: trigger
3# debug: true
4name: mwinters-stuff/mailu-admin-bf
5description: "Detect mailu admin bruteforce"
6filter: evt.Meta.log_type == 'mailu_admin_auth_attempt'
7groupby: evt.Meta.source_ip
8blackhole: 5m
9# reprocess: true
10labels:
11  service: http
12  classification:
13    - attack.T1110.001
14  spoofable: 0
15  confidence: 3
16  behavior: "http:bruteforce"
17  label: "Mailu web admin authentication attempt"
18  remediation: true
19

Hub configuration

« mailu-admin-bf »v0.2 by mwinters-stuffAttack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3

« mailu-admin-bf »
v0.2 by mwinters-stuff
Attack scenarioremediation:trueservice:httpspoofable:0MITRE:T1110confidence:3