radarr-bf Configuration

« radarr-bf »
v0.2 by schiz0phr3ne
Attack scenarioremediation:trueservice:radarrspoofable:0MITRE:T1110confidence:3

Detect Radarr bruteforce

Installation

cscli scenarios install schiz0phr3ne/radarr-bf

Description

Detect failed Radarr authentications:

leakspeed of 15s, capacity of 5 on source ip
leakspeed of 30s, capacity of 5 on source ip and unique distinct users

YAML Configuration

1# Radarr bruteforce
2type: leaky
3name: schiz0phr3ne/radarr-bf
4description: "Detect Radarr bruteforce"
5filter: "evt.Meta.log_type in ['radarr_failed_authentication']"
6leakspeed: "15s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11labels:
12  service: radarr
13  confidence: 3
14  spoofable: 0
15  classification:
16    - attack.T1110
17  behavior: "http:bruteforce"
18  label: "Radarr Bruteforce"
19  remediation: true
20---
21# Radarr user enum bruteforce
22type: leaky
23name: schiz0phr3ne/radarr-bf_user-enum
24description: "Detect Radarr user enum bruteforce"
25filter: "evt.Meta.log_type in ['radarr_failed_authentication']"
26leakspeed: "30s"
27capacity: 5
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.username
30blackhole: 1m
31reprocess: true
32labels:
33  service: radarr
34  confidence: 3
35  spoofable: 0
36  classification:
37    - attack.T1589
38    - attack.T1110
39  behavior: "http:bruteforce"
40  label: "Radarr User Enumeration"
41  remediation: true
42

Hub configuration

« radarr-bf »v0.2 by schiz0phr3neAttack scenarioremediation:trueservice:radarrspoofable:0MITRE:T1110confidence:3

« radarr-bf »
v0.2 by schiz0phr3ne
Attack scenarioremediation:trueservice:radarrspoofable:0MITRE:T1110confidence:3