Add baserow collection for docker instance

.index.json

@@ -3152,6 +3152,27 @@
     "LePresidente/redmine-bf"
    ]
   },
+  "LearningSpot/baserow": {
+   "path": "collections/LearningSpot/baserow.yml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "4572d46a4de2a365d2eed27abde750f507fee4330d8686a97ae8a5c327d38239",
+     "deprecated": false
+    }
+   },
+   "long_description": "QSBjb2xsZWN0aW9uIHRvIGRlZmVuZCBCYXNlcm93IGRvY2tlciBpbnN0YW5jZSBhZ2FpbnN0IGNvbW1vbiBhdHRhY2tzIDoKIC0gQmFzZXJvdyBwYXJzZXIKIC0gQmFzZXJvdyBicnV0ZWZvcmNlIGRldGVjdGlvbgoKIyMgQWNxdWlzaXRpb24gdGVtcGxhdGUKCkV4YW1wbGUgYWNxdWlzaXRpb24gZm9yIHRoaXMgY29sbGVjdGlvbiA6CgpJZiB1c2luZyBiYXNlcm93IGRvY2tlciBpbnN0YW5jZToKYGBgeWFtbAotLS0Kc291cmNlOiBkb2NrZXIKY29udGFpbmVyX25hbWU6CiAtIGJhc2Vyb3cKbGFiZWxzOgogIHR5cGU6IGJhc2Vyb3cKYGBgCg==",
+   "content": "cGFyc2VyczoKICAtIExlYXJuaW5nU3BvdC9iYXNlcm93LWxvZ3MKc2NlbmFyaW9zOgogIC0gTGVhcm5pbmdTcG90L2Jhc2Vyb3ctYmYKZGVzY3JpcHRpb246ICJCYXNlcm93IHBhcnNlciBhbmQgYnJ1dGUtZm9yY2UgZGV0ZWN0aW9uIgphdXRob3I6IExlYXJuaW5nU3BvdAp0YWdzOgogIC0gbGludXgKICAtIGJydXRlLWZvcmNlCiAgLSBiYXNlcm93Cg==",
+   "description": "Baserow parser and brute-force detection",
+   "author": "LearningSpot",
+   "labels": null,
+   "parsers": [
+    "LearningSpot/baserow-logs"
+   ],
+   "scenarios": [
+    "LearningSpot/baserow-bf"
+   ]
+  },
   "MariuszKociubinski/bitwarden": {
    "path": "collections/MariuszKociubinski/bitwarden.yaml",
    "version": "0.1",
@@ -7478,6 +7499,22 @@
    "author": "LePresidente",
    "labels": null
   },
+  "LearningSpot/baserow-logs": {
+   "path": "parsers/s01-parse/LearningSpot/baserow-logs.yaml",
+   "stage": "s01-parse",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "e10d8dcd7e90217e3b88525d5d7fa6cb0357403032e89af7cd698b02185243b6",
+     "deprecated": false
+    }
+   },
+   "long_description": "UGFyc2VyIGZvciBCYXNlcm93IExvZ3Mgd2l0aCBEb2NrZXIuCgpgYGB5YW1sCi0tLQpzb3VyY2U6IGRvY2tlcgpjb250YWluZXJfbmFtZToKIC0gYmFzZXJvdwpsYWJlbHM6CiAgdHlwZTogYmFzZXJvdwpgYGAK",
+   "content": "bmFtZTogTGVhcm5pbmdTcG90L2Jhc2Vyb3ctbG9ncwpkZXNjcmlwdGlvbjogIlBhcnNlIEJhc2Vyb3cgbG9naW4gbG9ncyIKZmlsdGVyOiAiZXZ0LlBhcnNlZC5wcm9ncmFtID09ICdiYXNlcm93X3NlcnZpY2UnIgpvbnN1Y2Nlc3M6IG5leHRfc3RhZ2UKbm9kZXM6CiAgLSBncm9rOgogICAgICBwYXR0ZXJuOiAnXiBcW0JBQ0tFTkRcXVxbJXtUSU1FU1RBTVBfSVNPODYwMTp0aW1lc3RhbXB9XF0gJXtJUDpzb3VyY2VfaXB9OiV7TlVNQkVSOmxlbmd0aH0gLSAiUE9TVCAvYXBpL3VzZXIvdG9rZW4tYXV0aC8gSFRUUC8xLjEiICV7TlVNQkVSOnN0YXR1c30nCiAgICAgIGFwcGx5X29uOiBtZXNzYWdlCiAgICAgIHN0YXRpY3M6CiAgICAgICAgLSBtZXRhOiBsb2dfdHlwZQogICAgICAgICAgdmFsdWU6IGJhc2Vyb3dfbG9naW4KICAgICAgICAtIHRhcmdldDogZXZ0LlN0clRpbWUKICAgICAgICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1wCnN0YXRpY3M6CiAgLSBtZXRhOiBzZXJ2aWNlCiAgICB2YWx1ZTogYmFzZXJvdwogIC0gbWV0YTogc291cmNlX2lwCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnNvdXJjZV9pcAogIC0gbWV0YTogc3RhdHVzCiAgICBleHByZXNzaW9uOiBldnQuUGFyc2VkLnN0YXR1cwogIC0gbWV0YTogZXZ0LlN0clRpbWUKICAgIGV4cHJlc3Npb246IGV2dC5QYXJzZWQudGltZXN0YW1wCg==",
+   "description": "Parse Baserow login logs",
+   "author": "LearningSpot",
+   "labels": null
+  },
   "MariuszKociubinski/bitwarden-logs": {
    "path": "parsers/s01-parse/MariuszKociubinski/bitwarden-logs.yaml",
    "stage": "s01-parse",
@@ -11058,6 +11095,29 @@
     "spoofable": 0
    }
   },
+  "LearningSpot/baserow-bf": {
+   "path": "scenarios/LearningSpot/baserow-bf.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "e19ce15421cc325c8c9c3f51d9314d9cbc95380c6fa6476a973ba7424abd7644",
+     "deprecated": false
+    }
+   },
+   "long_description": "RGV0ZWN0IGZhaWxlZCBiYXNlcm93IGF1dGhlbnRpY2F0aW9uczoKCmxlYWtzcGVlZCBvZiAxbSwgY2FwYWNpdHkgb2YgNSwgYmxhY2tob2xlIG9mIDVtIG9uIHNvdXJjZSBpcAo=",
+   "content": "dHlwZTogbGVha3kKbmFtZTogTGVhcm5pbmdTcG90L2Jhc2Vyb3ctYmYKZGVzY3JpcHRpb246ICJEZXRlY3QgZmFpbGVkIGxvZ2luIGF0dGVtcHRzIHRvIEJhc2Vyb3cgc2VydmljZSIKZmlsdGVyOiAiZXZ0Lk1ldGEubG9nX3R5cGUgPT0gJ2Jhc2Vyb3dfbG9naW4nICYmIGV2dC5NZXRhLnN0YXR1cyA9PSAnNDAxJyIKZ3JvdXBieTogZXZ0Lk1ldGEuc291cmNlX2lwCmxlYWtzcGVlZDogMW0KY2FwYWNpdHk6IDUKYmxhY2tob2xlOiA1bQpsYWJlbHM6CiAgc2VydmljZTogYmFzZXJvdwogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBhdHRhY2suVDExMTAKICBiZWhhdmlvcjogImh0dHA6YnJ1dGVmb3JjZSIKICBsYWJlbDogIkJhc2Vyb3cgU2VydmljZSBGYWlsZWQgQXV0aCIKICByZW1lZGlhdGlvbjogdHJ1ZQo=",
+   "description": "Detect failed login attempts to Baserow service",
+   "author": "LearningSpot",
+   "labels": {
+    "behavior": "http:bruteforce",
+    "classification": [
+     "attack.T1110"
+    ],
+    "label": "Baserow Service Failed Auth",
+    "remediation": true,
+    "service": "baserow"
+   }
+  },
   "MariuszKociubinski/bitwarden-bf": {
    "path": "scenarios/MariuszKociubinski/bitwarden-bf.yaml",
    "version": "0.2",

collections/LearningSpot/baserow.md

@@ -0,0 +1,17 @@
+A collection to defend Baserow docker instance against common attacks :
+ - Baserow parser
+ - Baserow bruteforce detection
+
+## Acquisition template
+
+Example acquisition for this collection :
+
+If using baserow docker instance:
+```yaml
+---
+source: docker
+container_name:
+ - baserow
+labels:
+  type: baserow
+```

collections/LearningSpot/baserow.yml

@@ -0,0 +1,10 @@
+parsers:
+  - LearningSpot/baserow-logs
+scenarios:
+  - LearningSpot/baserow-bf
+description: "Baserow parser and brute-force detection"
+author: LearningSpot
+tags:
+  - linux
+  - brute-force
+  - baserow

parsers/s01-parse/LearningSpot/baserow-logs.md

@@ -0,0 +1,10 @@
+Parser for Baserow Logs with Docker.
+
+```yaml
+---
+source: docker
+container_name:
+ - baserow
+labels:
+  type: baserow
+```

parsers/s01-parse/LearningSpot/baserow-logs.yaml

@@ -0,0 +1,22 @@
+name: LearningSpot/baserow-logs
+description: "Parse Baserow login logs"
+filter: "evt.Parsed.program == 'baserow_service'"
+onsuccess: next_stage
+nodes:
+  - grok:
+      pattern: '^ \[BACKEND\]\[%{TIMESTAMP_ISO8601:timestamp}\] %{IP:source_ip}:%{NUMBER:length} - "POST /api/user/token-auth/ HTTP/1.1" %{NUMBER:status}'
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: baserow_login
+        - target: evt.StrTime
+          expression: evt.Parsed.timestamp
+statics:
+  - meta: service
+    value: baserow
+  - meta: source_ip
+    expression: evt.Parsed.source_ip
+  - meta: status
+    expression: evt.Parsed.status
+  - meta: evt.StrTime
+    expression: evt.Parsed.timestamp

scenarios/LearningSpot/baserow-bf.md

@@ -0,0 +1,3 @@
+Detect failed baserow authentications:
+
+leakspeed of 1m, capacity of 5, blackhole of 5m on source ip

scenarios/LearningSpot/baserow-bf.yaml

@@ -0,0 +1,15 @@
+type: leaky
+name: LearningSpot/baserow-bf
+description: "Detect failed login attempts to Baserow service"
+filter: "evt.Meta.log_type == 'baserow_login' && evt.Meta.status == '401'"
+groupby: evt.Meta.source_ip
+leakspeed: 1m
+capacity: 5
+blackhole: 5m
+labels:
+  service: baserow
+  classification:
+    - attack.T1110
+  behavior: "http:bruteforce"
+  label: "Baserow Service Failed Auth"
+  remediation: true