1# mongodb bruteforce
2type: leaky
3name: timokoessler/mongodb-bf
4description: "Detect mongodb bruteforce"
5filter: "evt.Meta.log_type == 'mongodb_failed_auth'"
6leakspeed: "20s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11labels:
12  service: mongodb
13  classification:
14    - attack.T1110
15  behavior: "database:bruteforce"
16  label: "MongoDB Bruteforce"
17  spoofable: 0
18  confidence: 3
19  remediation: true
20---
21# mongodb user enum bruteforce
22type: leaky
23name: timokoessler/mongodb-bf_user-enum
24description: "Detect mongodb user enum bruteforce"
25filter: "evt.Meta.log_type == 'mongodb_failed_auth'"
26leakspeed: "40s"
27capacity: 5
28groupby: evt.Meta.source_ip
29distinct: evt.Meta.username
30blackhole: 1m
31reprocess: true
32labels:
33  service: mongodb
34  classification:
35    - attack.T1589
36    - attack.T1110
37  behavior: "database:bruteforce"
38  label: "MongoDB User Enumeration"
39  spoofable: 0
40  confidence: 3
41  remediation: true
42---
43# mongodb authentication database enum bruteforce
44type: leaky
45name: timokoessler/mongodb-bf_auth-db-enum
46description: "Detect mongodb authentication database enum bruteforce"
47filter: "evt.Meta.log_type == 'mongodb_failed_auth'"
48leakspeed: "40s"
49capacity: 5
50groupby: evt.Meta.source_ip
51distinct: evt.Meta.authentication_database
52blackhole: 1m
53reprocess: true
54labels:
55  service: mongodb
56  classification:
57    - attack.T1589
58    - attack.T1110
59  behavior: "database:bruteforce"
60  label: "MongoDB Authentication Enumeration"
61  spoofable: 0
62  confidence: 3
63  remediation: true
64