From 748902f78f03305245f314ba6f8b51c3a3ad338e Mon Sep 17 00:00:00 2001
From: boris22100 <64599630+boris22100@users.noreply.github.com>
Date: Wed, 27 May 2026 00:24:13 +0200
Subject: [PATCH] feat(scenario): add JMAP HTTP brute-force scenario for
 boris22100

---
 scenarios/boris22100/jmap-http-bf.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 scenarios/boris22100/jmap-http-bf.yaml

diff --git a/scenarios/boris22100/jmap-http-bf.yaml b/scenarios/boris22100/jmap-http-bf.yaml
new file mode 100644
index 00000000000..66643c4a733
--- /dev/null
+++ b/scenarios/boris22100/jmap-http-bf.yaml
@@ -0,0 +1,13 @@
+type: leaky
+name: boris22100/jmap-http-bf
+description: "Detect JMAP brute force attacks on HTTP/HTTPS endpoints"
+filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.request matches '^/jmap' && int(evt.Parsed.status) in [401, 403]"
+groupby: "evt.Meta.source_ip"
+capacity: 5
+leakspeed: "30s"
+blackhole: 5m
+labels:
+  service: http
+  remediation: ban
+  taxonomy:
+    attack: brute-force
\ No newline at end of file