GNU nano 8.4                                                                                        /etc/crowdsec/scenarios/proxmox-bf.yaml                                                                                                 
# Proxmox authent bruteforce
type: leaky
name: fulljackz/proxmox-bf
description: "Detect proxmox bruteforce"
filter: "evt.Meta.log_type == 'pve_failed-auth'"
leakspeed: "60s"
capacity: 2
groupby: evt.Meta.source_ip
blackhole: 1m
reprocess: true

labels:
  service: vm-management
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1110
  behavior: "vm-management:bruteforce"
  label: "PveDaemon Bruteforce"
  remediation: true
---
# Proxmox bad user
type: leaky
name: fulljackz/proxmox-bf-user-enum
description: "Detect proxmox wrong username"
filter: "evt.Meta.log_type == 'pve_failed-auth'"
leakspeed: "60s"
capacity: 2
groupby: evt.Meta.source_ip
distinct: evt.Meta.source_user
blackhole: 1m
reprocess: true
labels:
  service: vm-management
  confidence: 3
  spoofable: 0
  classification:
    - attack.T1589
    - attack.T1110
  behavior: "vm-management:bruteforce"
  label: "PveDaemon User Enum Bruteforce"
  remediation: true