1---
2type: leaky
3name: crowdsecurity/nextcloud-bf
4description: "Detect Nextcloud bruteforce"
5filter: "evt.Meta.log_type in ['nextcloud_failed_auth', 'nextcloud_bruteforce_attempt']"
6leakspeed: "1m"
7capacity: 5
8# if we have bruteforce protection enabled in nextcloud, the same login attempt
9# can log # both login failure and bruteforce attempt at the same time, so
10# keep them in seperate buckets
11groupby: evt.Meta.source_ip + '--' + evt.Meta.log_type
12blackhole: 5m
13reprocess: true
14labels:
15  remediation: true
16  confidence: 3
17  spoofable: 0
18  classification:
19    - attack.T1110
20  behavior: "http:bruteforce"
21  label: "NextCloud Bruteforce"
22  service: nextcloud
23---
24type: leaky
25name: crowdsecurity/nextcloud-bf_user_enum
26description: "Detect Nextcloud user enum bruteforce"
27filter: "evt.Meta.log_type == 'nextcloud_failed_auth'"
28leakspeed: "1m"
29capacity: 5
30groupby: evt.Meta.source_ip
31distinct: evt.Meta.target_user
32blackhole: 5m
33reprocess: true
34labels:
35  remediation: true
36  confidence: 3
37  spoofable: 0
38  classification:
39    - attack.T1110
40  behavior: "http:bruteforce"
41  label: "NextCloud Bruteforce"
42  service: nextcloud
43---
44type: leaky
45name: crowdsecurity/nextcloud-bf_domain_error
46description: "Detect Nextcloud domain error"
47filter: "evt.Meta.log_type == 'nextcloud_domain_error'"
48leakspeed: "1m"
49capacity: 5
50groupby: evt.Meta.source_ip
51blackhole: 5m
52reprocess: true
53labels:
54  remediation: true
55  confidence: 3
56  spoofable: 0
57  classification:
58    - attack.T1110
59  behavior: "http:bruteforce"
60  label: "NextCloud Bruteforce"
61  service: nextcloud
62