Rename custom-scenarios.yaml to plugins/scenarios/custom-scenarios.yaml

plugins/scenarios/custom-scenarios.yaml

@@ -0,0 +1,35 @@
+# scanarios:
+type: trigger
+name: custom/forbidden-usernames
+description: "Block IPs attempting RDP logins with forbidden usernames"
+filter: "evt.Parsed.username != '' && Lower(evt.Parsed.username) in ['administrator', 'admin', 'guest']"
+#blackhole: 2m
+groupby: evt.Meta.source_ip
+reprocess: true
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "windows:bruteforce"
+  label: "Windows Bruteforce Username"
+  remediation: true
+  service: windows
+
+---
+
+type: trigger
+name: custom/geoip-block-non-uk
+description: "Block traffic from non-UK IP addresses"
+filter: "evt.Enriched.IsoCode != '' && evt.Enriched.IsoCode != 'GB'"
+groupby: evt.Meta.source_ip
+reprocess: true
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - network.geo-blocking
+  behavior: "windows:geo-blocking"
+  label: "Non-UK Traffic Block"
+  remediation: true
+  service: windows