cscli scenarios install crowdsecurity/nextcloud-bf
Detects bruteforce on Nextcloud instance.
1---2type: leaky3name: crowdsecurity/nextcloud-bf4description: "Detect Nextcloud bruteforce"5filter: "evt.Meta.log_type in ['nextcloud_failed_auth', 'nextcloud_bruteforce_attempt']"6leakspeed: "1m"7capacity: 58# if we have bruteforce protection enabled in nextcloud, the same login attempt9# can log # both login failure and bruteforce attempt at the same time, so10# keep them in seperate buckets11groupby: evt.Meta.source_ip + '--' + evt.Meta.log_type12blackhole: 5m13reprocess: true14labels:15 remediation: true16 confidence: 317 spoofable: 018 classification:19 - attack.T111020 behavior: "http:bruteforce"21 label: "NextCloud Bruteforce"22 service: nextcloud23---24type: leaky25name: crowdsecurity/nextcloud-bf_user_enum26description: "Detect Nextcloud user enum bruteforce"27filter: "evt.Meta.log_type == 'nextcloud_failed_auth'"28leakspeed: "1m"29capacity: 530groupby: evt.Meta.source_ip31distinct: evt.Meta.target_user32blackhole: 5m33reprocess: true34labels:35 remediation: true36 confidence: 337 spoofable: 038 classification:39 - attack.T111040 behavior: "http:bruteforce"41 label: "NextCloud Bruteforce"42 service: nextcloud43---44type: leaky45name: crowdsecurity/nextcloud-bf_domain_error46description: "Detect Nextcloud domain error"47filter: "evt.Meta.log_type == 'nextcloud_domain_error'"48leakspeed: "1m"49capacity: 550groupby: evt.Meta.source_ip51blackhole: 5m52reprocess: true53labels:54 remediation: true55 confidence: 356 spoofable: 057 classification:58 - attack.T111059 behavior: "http:bruteforce"60 label: "NextCloud Bruteforce"61 service: nextcloud62