security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/generic/generic_brute_force.yml
T

27 lines
634 B
YAML
Raw Normal View History

OSCD event rules from Jet CSIRT team
2019-10-25 17:57:56 +03:00
title: Brute Force
UUIDs + moved unsupported logic
2019-12-19 23:56:36 +01:00
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
Change status for old rules
2021-11-27 11:33:14 +01:00
status: test
OSCD event rules from Jet CSIRT team
2019-10-25 17:57:56 +03:00
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
Change status for old rules
2021-11-27 11:33:14 +01:00
modified: 2021/11/27
OSCD event rules from Jet CSIRT team
2019-10-25 17:57:56 +03:00
logsource:
Change status for old rules
2021-11-27 11:33:14 +01:00
category: authentication
OSCD event rules from Jet CSIRT team
2019-10-25 17:57:56 +03:00
detection:
Change status for old rules
2021-11-27 11:33:14 +01:00
selection:
action: failure
timeframe: 600s
condition: selection | count(category) by dst_ip > 30
OSCD event rules from Jet CSIRT team
2019-10-25 17:57:56 +03:00
fields:
Change status for old rules
2021-11-27 11:33:14 +01:00
- src_ip
- dst_ip
- user
OSCD event rules from Jet CSIRT team
2019-10-25 17:57:56 +03:00
falsepositives:
Change status for old rules
2021-11-27 11:33:14 +01:00
- Inventarization
- Vulnerability scanner
- Legitimate application
OSCD event rules from Jet CSIRT team
2019-10-25 17:57:56 +03:00
level: medium
Fixed my git issue
2020-09-13 22:03:04 -06:00
tags:
Change status for old rules
2021-11-27 11:33:14 +01:00
- attack.credential_access
- attack.t1110
Reference in New Issue Copy Permalink