type: trigger
name: custom/forbidden-usernames
description: "Block IPs attempting RDP logins with forbidden usernames"
filter: "evt.Parsed.username != '' && Lower(evt.Parsed.username) in ['administrator', 'admin', 'guest']"
#blackhole: 2m
groupby: evt.Meta.source_ip
reprocess: true
labels:
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1110
  behavior: "windows:bruteforce"
  label: "Windows Bruteforce Username"
  remediation: true
  service: windows