cscli scenarios install timokoessler/mongodb-bf
Detect failed MongoDB authentications:
1# mongodb bruteforce2type: leaky3name: timokoessler/mongodb-bf4description: "Detect mongodb bruteforce"5filter: "evt.Meta.log_type == 'mongodb_failed_auth'"6leakspeed: "20s"7capacity: 58groupby: evt.Meta.source_ip9blackhole: 1m10reprocess: true11labels:12 service: mongodb13 classification:14 - attack.T111015 behavior: "database:bruteforce"16 label: "MongoDB Bruteforce"17 spoofable: 018 confidence: 319 remediation: true20---21# mongodb user enum bruteforce22type: leaky23name: timokoessler/mongodb-bf_user-enum24description: "Detect mongodb user enum bruteforce"25filter: "evt.Meta.log_type == 'mongodb_failed_auth'"26leakspeed: "40s"27capacity: 528groupby: evt.Meta.source_ip29distinct: evt.Meta.username30blackhole: 1m31reprocess: true32labels:33 service: mongodb34 classification:35 - attack.T158936 - attack.T111037 behavior: "database:bruteforce"38 label: "MongoDB User Enumeration"39 spoofable: 040 confidence: 341 remediation: true42---43# mongodb authentication database enum bruteforce44type: leaky45name: timokoessler/mongodb-bf_auth-db-enum46description: "Detect mongodb authentication database enum bruteforce"47filter: "evt.Meta.log_type == 'mongodb_failed_auth'"48leakspeed: "40s"49capacity: 550groupby: evt.Meta.source_ip51distinct: evt.Meta.authentication_database52blackhole: 1m53reprocess: true54labels:55 service: mongodb56 classification:57 - attack.T158958 - attack.T111059 behavior: "database:bruteforce"60 label: "MongoDB Authentication Enumeration"61 spoofable: 062 confidence: 363 remediation: true64