From 9da38e05269613d8d7a558a9485664c80da59358 Mon Sep 17 00:00:00 2001
From: ghostersk <68815071+ghostersk@users.noreply.github.com>
Date: Tue, 4 Mar 2025 21:16:52 +0000
Subject: [PATCH] Update and rename custom-scenarios.yaml to
 windows-username-filter.yaml

---
 ...rios.yaml => windows-username-filter.yaml} | 19 -------------------
 1 file changed, 19 deletions(-)
 rename plugins/scenarios/{custom-scenarios.yaml => windows-username-filter.yaml} (52%)

diff --git a/plugins/scenarios/custom-scenarios.yaml b/plugins/scenarios/windows-username-filter.yaml
similarity index 52%
rename from plugins/scenarios/custom-scenarios.yaml
rename to plugins/scenarios/windows-username-filter.yaml
index d079c14..9eaf9d9 100644
--- a/plugins/scenarios/custom-scenarios.yaml
+++ b/plugins/scenarios/windows-username-filter.yaml
@@ -1,4 +1,3 @@
-# scanarios:
 type: trigger
 name: custom/forbidden-usernames
 description: "Block IPs attempting RDP logins with forbidden usernames"
@@ -15,21 +14,3 @@ labels:
   label: "Windows Bruteforce Username"
   remediation: true
   service: windows
-
----
-
-type: trigger
-name: custom/geoip-block-non-uk
-description: "Block traffic from non-UK IP addresses"
-filter: "evt.Enriched.IsoCode != '' && evt.Enriched.IsoCode != 'GB'"
-groupby: evt.Meta.source_ip
-reprocess: true
-labels:
-  confidence: 3
-  spoofable: 0
-  classification:
-    - network.geo-blocking
-  behavior: "windows:geo-blocking"
-  label: "Non-UK Traffic Block"
-  remediation: true
-  service: windows