1# Proxmox authent bruteforce
2type: leaky
3name: fulljackz/proxmox-bf
4description: "Detect proxmox bruteforce"
5filter: "evt.Meta.log_type == 'pve_failed-auth'"
6leakspeed: "10s"
7capacity: 5
8groupby: evt.Meta.source_ip
9blackhole: 1m
10reprocess: true
11
12labels:
13  service: vm-management
14  confidence: 3
15  spoofable: 0
16  classification:
17    - attack.T1110
18  behavior: "vm-management:bruteforce"
19  label: "PveDaemon Bruteforce"
20  remediation: true
21---
22# Proxmox bad user
23type: leaky
24name: fulljackz/proxmox-bf-user-enum
25description: "Detect proxmox wrong username"
26filter: "evt.Meta.log_type == 'pve_failed-auth'"
27leakspeed: "10s"
28capacity: 5
29groupby: evt.Meta.source_ip
30distinct: evt.Meta.source_user
31blackhole: 1m
32reprocess: true
33labels:
34  service: vm-management
35  confidence: 3
36  spoofable: 0
37  classification:
38    - attack.T1589
39    - attack.T1110
40  behavior: "vm-management:bruteforce"
41  label: "PveDaemon User Enum Bruteforce"
42  remediation: true
43