Skip to content

Crowdsec#

README

CrowdSec#

Check CrowdSec Threat Intelligence about an ip address.

Running the analyzer will expose the result as taxonomies in the short report displayed in the ip observable.

short result example

The raw report contains the whole json response from CrowdSec.

e.g.:

{
  "ip_range_score": 0,
  "ip": "223.171.256.256",
  "ip_range": "223.171.0.0/16",
  "as_name": "LGTELECOM",
  "as_num": 17853,
  "location": {
    "country": "KR",
    "city": null,
    "latitude": 42,
    "longitude": 42
  },
  "reverse_dns": null,
  "behaviors": [
    {
      "name": "pop3/imap:bruteforce",
      "label": "POP3/IMAP Bruteforce",
      "description": "IP has been reported for performing a POP3/IMAP brute force attack."
    }
  ],
  "history": {
    "first_seen": "2022-09-26T03:45:00+00:00",
    "last_seen": "2022-10-11T08:15:00+00:00",
    "full_age": 16,
    "days_age": 15
  },
  "classifications": {
    "false_positives": [],
    "classifications": []
  },
  "attack_details": [
    {
      "name": "crowdsecurity/postfix-spam",
      "label": "Postfix Bruteforce",
      "description": "Detect spammers/postfix brute force",
      "references": []
    }
  ],
  "target_countries": {
    "DE": 25,
    "FR": 25,
    "PL": 25,
    "SK": 25
  },
  "scores": {
    "overall": {
      "aggressiveness": 0,
      "threat": 4,
      "trust": 0,
      "anomaly": 1,
      "total": 1
    },
    "last_day": {
      "aggressiveness": 0,
      "threat": 0,
      "trust": 0,
      "anomaly": 1,
      "total": 0
    },
    "last_week": {
      "aggressiveness": 0,
      "threat": 4,
      "trust": 0,
      "anomaly": 1,
      "total": 1
    },
    "last_month": {
      "aggressiveness": 0,
      "threat": 4,
      "trust": 0,
      "anomaly": 1,
      "total": 1
    }
  },
  "references": []
}

Requirements#

Provide a CrowdSec CTI Api key as a value for the api_key parameter.

Crowdsec_Analyzer#

Author: CERT-ARKEA
License: AGPL-V3
Version: 1.0
Supported observables types:
- ip
Registration required: True
Subscription required: True
Free subscription: True
Third party service: https://www.crowdsec.net/product/threat-intelligence

Description#

Query Crowdsec API

Configuration#

api_key Crowdsec API key
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#