Achieve security excellence without breaking the budget!

Download guide

Background Noise Filter is Now Available in CrowdSec Console

Introduction

For larger infrastructures, reviewing blocked alerts through most cybersecurity software can be time-consuming especially when it is part of the day-to-day job. One can easily miss a critical alert, just because it is lost among all the others. This effect is usually referred to as “Alert Fatigue”. 

We’ve recently released a new UX feature aimed at saving you a lot of time reviewing the numerous alerts you may receive in the Console, by enabling a Background Noise (BN) filter that allows it to focus on specific attacks and increase productivity.

Background Noise filter is available on the top left corner of the visualizer
Background Noise filter enabled: 73% of the alerts were masked

This feature is now available in the Console for all the premium users and will improve their time efficiency at reviewing all their alerts. If you are a free user you can still find, in the top left corner, a glimpse of the number of signals you would exclude with this feature.

Enable the Background Noise filter by clicking on the top left corner of the visualizer. Available in both the summary and expanded view.

Description

We define Background Noise (BN), sometimes also referred to as “Internet Background Radiation” as automatic and mild attacks that are perpetrated at a large scale, without a specific target, at a constant pace over time. It includes, for example, mass scanning, or brute-force attempts on popular services. This is the kind of automatic attack that typically targets a honeypot in mass scanning events, and is not specific to one domain or infrastructure in particular. 

To build the Background Noise filter relevant to this definition, we continuously analyze all our community data (yeah, that’s a lot!) and we evaluate 3 major criteria:

  • Scale: the number of watcher reports, as we assume BN emitters perform attacks on a large scale.
  • Diversity: the diversity of the watcher reporting in terms of IP ranges, Autonomous System Numbers (ASN), and countries. Background Noise emitters are likely to attack many countries and organizations while sticking to a particular attack type. We see IP ranges specialized in brute-forcing and others in spamming. Being reported should not be considered as BN. 
  • Timeline: the age and activity of a BN emitter in terms of lifetime and intensity. Large-scale scanners are usually well-established and perform mass scanning regularly for an extended period.

These criteria are turned into scores of 10 by continuously taking into account the distribution of the statistics in our database. The final BNS is just the average of the 3 intermediate scores and also ranges from 0 to 10, 10 meaning that this IP is performing non-targeted random attacks (noise). No black magic AI here: we can always track back to the source.

Next Steps

Currently, the filter available in the Console is only an on/off switch, but we plan to let the users tweak it at their own convenience in the future. Do you find it useful? Is there any other approach you would recommend? Please let us know using the feedback tool available directly on the Console.

You may also like

am i under attack
Product Updates

Am I Under Attack: Cut Through the Noise to Detect Sophisticated and Targeted Attacks with CrowdSec’s New feature

Am I Under Attack leverages advanced AI algorithms to detect anomalies in your logs indicating more sophisticated or targeted attacks.

new and advanced ip lookup search
Product Updates

Introducing the New and Advanced IP Lookup Search

In a previous article, we introduced the CTI Report, this time, we are taking it a step further and introducing new and advanced search options for our IP lookup.  You now have access to multiple search options to accurately and effectively explore the CrowdSec CTI.   Let’s take a look. IP lookup search These new search […]

Discover CrowdSec’s Free Third-Party Blocklists
Product Updates

Discover CrowdSec’s Free Third-Party Blocklists

In case you missed it, we recently announced the new Blocklists Catalog in the CrowdSec Console. In the catalog, you can find several blocklists centralized in one place, including third-party blocklists that are free to all users.  All users on the CrowdSec Console can subscribe their Security Engines to third-party blocklists to secure their systems […]