Create windows-geoip-block.yaml

2025-03-04 21:17:20 +00:00
parent 9da38e0526
commit cb88473b0e
1 changed files with 15 additions and 0 deletions
--- a/plugins/scenarios/windows-geoip-block.yaml
+++ b/plugins/scenarios/windows-geoip-block.yaml
@@ -0,0 +1,15 @@
+type: trigger
+name: custom/geoip-block-non-uk
+description: "Block traffic from non-UK IP addresses"
+filter: "evt.Enriched.IsoCode != '' && evt.Enriched.IsoCode != 'GB'"
+groupby: evt.Meta.source_ip
+reprocess: true
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - network.geo-blocking
+  behavior: "windows:geo-blocking"
+  label: "Non-UK Traffic Block"
+  remediation: true
+  service: windows