Refine SFTPGo log parsing and update bruteforce detection parameters

Azlaroc · Azlaroc · commit 32de5fe44be1 · 2025-09-09T00:27:49.000Z
diff --git a/parsers/s01-parse/Azlaroc/sftpgo-logs.yaml b/parsers/s01-parse/Azlaroc/sftpgo-logs.yaml
@@ -2,11 +2,11 @@ onsuccess: next_stage
 pattern_syntax:
   SFTPGO_TIME: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\.%{NUMBER}'
   SFTPGO_FAILED: '\{"level":"%{WORD:log_level}","time":"%{SFTPGO_TIME:evt_time}","sender":"connection_failed","client_ip":"%{IPV4:client_ip}","username":"%{DATA:username}","login_type":"%{DATA:login_type}","protocol":"%{WORD:protocol}","error":"%{GREEDYDATA:error}"\}'
-filter: evt.Line.Labels.type == 'sftpgo'
+filter: evt.Parsed.program == 'sftpgo'
 nodes:
   - grok:
       name: SFTPGO_FAILED
-      apply_on: Line.Raw
+      apply_on: message
       statics:
         - meta: log_type
           value: sftpgo_auth
diff --git a/scenarios/Azlaroc/sftpgo-bf.yaml b/scenarios/Azlaroc/sftpgo-bf.yaml
@@ -3,8 +3,8 @@ name: Azlaroc/sftpgo-bf
 description: "Detect SFTPGo bruteforce attacks on FTP/SSH"
 filter: "evt.Meta.log_type == 'sftpgo_auth' && evt.Meta.is_failed_login == 'true'"
 groupby: evt.Meta.source_ip
-capacity: 5
-leakspeed: "2m"
+capacity: 3
+leakspeed: "30s"
 blackhole: 4h
 labels:
   service: sftpgo
