rules/generic/generic_brute_force.yml

title: Brute Force
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
status: experimental
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
modified: 2020/09/01
logsource:
    category: authentication
detection:
    selection:
         action: failure
    timeframe: 600s
    condition: selection | count(category) by dst_ip > 30
fields:
    - src_ip
    - dst_ip
    - user
falsepositives:
    - Inventarization
    - Penetration testing
    - Vulnerability scanner
    - Legitimate application
level: medium
tags:
    - attack.credential_access
    - attack.t1110
OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00			`title: Brute Force`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 53c7cca0-2901-493a-95db-d00d6fcf0a37`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`status: experimental`
OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00			`description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity`
			`author: Aleksandr Akhremchik, oscd.community`
			`date: 2019/10/25`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`modified: 2020/09/01`
OSCD event rules from Jet CSIRT team 2019-10-25 17:57:56 +03:00			`logsource:`
			`category: authentication`
			`detection:`
			`selection:`
			`action: failure`
			`timeframe: 600s`
			`condition: selection \| count(category) by dst_ip > 30`
			`fields:`
			`- src_ip`
			`- dst_ip`
			`- user`
			`falsepositives:`
			`- Inventarization`
			`- Penetration testing`
			`- Vulnerability scanner`
			`- Legitimate application`
			`level: medium`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`tags:`
			`- attack.credential_access`
			`- attack.t1110`