From b22b5f2af347b59a0e1167e527825b3a85fc2dbb Mon Sep 17 00:00:00 2001
From: ghostersk <68815071+ghostersk@users.noreply.github.com>
Date: Tue, 4 Mar 2025 21:10:36 +0000
Subject: [PATCH] Create custom-scenarios.yaml

---
 custom-scenarios.yaml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 custom-scenarios.yaml

diff --git a/custom-scenarios.yaml b/custom-scenarios.yaml
new file mode 100644
index 0000000..d079c14
--- /dev/null
+++ b/custom-scenarios.yaml
@@ -0,0 +1,35 @@
+# scanarios:
+type: trigger
+name: custom/forbidden-usernames
+description: "Block IPs attempting RDP logins with forbidden usernames"
+filter: "evt.Parsed.username != '' && Lower(evt.Parsed.username) in ['administrator', 'admin', 'guest']"
+#blackhole: 2m
+groupby: evt.Meta.source_ip
+reprocess: true
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "windows:bruteforce"
+  label: "Windows Bruteforce Username"
+  remediation: true
+  service: windows
+
+---
+
+type: trigger
+name: custom/geoip-block-non-uk
+description: "Block traffic from non-UK IP addresses"
+filter: "evt.Enriched.IsoCode != '' && evt.Enriched.IsoCode != 'GB'"
+groupby: evt.Meta.source_ip
+reprocess: true
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - network.geo-blocking
+  behavior: "windows:geo-blocking"
+  label: "Non-UK Traffic Block"
+  remediation: true
+  service: windows