1type: leaky
2name: xs539/bookstack-bf
3description: "Detect bookstack bruteforce"
4filter: "evt.Meta.log_type == 'bookstack_failed_auth'"
5groupby: evt.Meta.source_ip
6leakspeed: 15m
7capacity: 3
8blackhole: 1m
9labels:
10  service: bookstack
11  confidence: 3
12  spoofable: 0
13  classification:
14    - attack.T1110
15  label: "Bookstack Bruteforce"
16  behavior: "http:bruteforce"
17  remediation: true
18---
19type: leaky
20name:  xs539/bookstack-bf_user-enum
21description: "Detect bookstack bruteforce"
22filter: "evt.Meta.log_type == 'bookstack_failed_auth'"
23groupby: evt.Meta.source_ip
24distinct: evt.Meta.target_user
25leakspeed: 15m
26capacity: 3
27blackhole: 1m
28labels:
29  service: bookstack
30  confidence: 3
31  spoofable: 0
32  classification:
33    - attack.T1589
34  label: "Bookstack User Enumeration"
35  behavior: "http:bruteforce"
36  remediation: true