False positives with nextcloud notes

I can’t use my nextcloud notes app without triggering the following decision:

“LePresidente/http-generic-403-bf” with my IP.

In general what’s the protocol to manage false positives. Seems like you need to make some kind of whitelist or modification to the rules using yaml files? Any help is appreciated.

Hey we are currently working on a nextcloud whitelists that is currently evolving over time.

https://hub.crowdsec.net/author/crowdsecurity/configurations/nextcloud-whitelist

We need to know what events were poured to the bucket to know how we can add this application to the whitelists. Could you run cscli alerts inspect <id> -d this will output alot of information about each event that poured. You can remove the IP from the output as we do not need this.

Cool good to know there is a fix in process. Should I apply the nextcloud-whitelist now or wait?

Unfortunately I accidentally did a ‘cscli decisions delete -all’ or something to that effect when desperately trying to get my services back up. However, I have daily appdata backups of my docker containers… is this something I can pull directly from the docker appdata?