Want to improve the security of your ecommerce website?

Learn how

CrowdSec CTI integrations: TheHive – MISP – OpenCTI

Introduction

At CrowdSec, thanks to our community collaborating together to detect attacks, we have managed to build the largest detection network in the world with over 10 million pieces of detailed information about attacks, updated in real-time.

We are proud of the quality of our data and advanced curation of signals due to:

  • A wide qualitative network
  • Real servers (not only honey pots)
  • Located all over the world
  • Being in every sector of activity
  • An advanced expert system
  • Multifactor trust index for our signal sources
  • Partial cross-validation with a network of honeypots
  • Advanced diversity and anomaly detection

But also due to our CTI API (with this API we enrich your security tools with our premium data) which can be integrated easily, almost anywhere.

Our CTI is available via our console at https://app.crowdsec.net

First integrations

With the help of the members from our community, and following some requests, we’re happy to introduce the three following integrations of our Cyber Threat Intelligence (CTI):

  • TheHive – Cortex Analyzer
  • MISP module
  • OpenCTI connector

TheHive – Cortex Analyzer

We’d like to warmly thank the contributors from CERT Arkea for this integration.

The CrowdSec’s analyzer is included in the TheHive-Cortex Analyzers collection since version 3.2.0
They are ready to be used on your Observables.

You’ll find more information on how to use our analyzer in the official CrowdSec doc for TheHive-Cortext Analyzer

The presented data contains this information about the attacker:

  • IP + IPrange
  • Autonomous System (AS)
  • Location
  • First and Last sighting
  • Classification & attacks its known for
  • If it is or not a false positive
  • Aggressiveness overall 
  • Aggressiveness of past 1,7 and 30 days
Example of a malicious IP report

MISP

Requested by the community, the CrowdSec MISP enrichment module will add information from our Cyber Threat Intelligence (CTI) to your MISP events.

You’ll find more information on how to install and use our module in the official CrowdSec doc for MISP enricher module.

The presented data contains this information about the attacker:

  • IP + IPrange + Range score
  • Reverse DNS
  • AS Name and Number
  • Location and coordinates
  • Top 10 countries it’s attacking
  • First and Last sighting
  • Attacks its known for
  • Triggered scenarios
  • Trust on a scale of 0 to 5
    (Certainty that it’s a genuine attacker)
  • Aggressiveness, threat, trust and anomaly scores (on a scale of 0 to 5)
  • Overall
  • And past 1,7,30 days

OpenCTI

Another request from the community, the CrowdSec OpenCTI connector provides information about the type of attacks and links with related CVEs.

You’ll find more information on how to install and use our connector in the official CrowdSec doc for OpenCTI connector.

The presented data contains this information about the attacker:

  • IP + IPrangeReverse DNS
  • Top 10 countries it’s attacking
  • First and Last sighting
  • Attacks its known for
  • Triggered scenarios
  • Related CVEs

What’s next?

As the network continues to grow the coverage of our detection expands.

With more coverage comes a better analysis of the attacks and we’ll be able to:

  • Identify which IPs seem to be in coalition and from what specific infrastructure (VPN, proxy, botnet)
  • Know what infrastructure or industries they are targeting
  • Predict an attack from the rise of targeted activity

As the company and community grow we will encourage integration and collaboration with as many security solutions as possible in order to make the existing tools benefit from our network and expert system.

We’re looking forward to getting more enthusiastic requests to connect with CrowdSec!

You too can share your request and join the community:

Discord: https://discord.com/invite/crowdsec

Discourse: https://discourse.crowdsec.net/

You may also like

am i under attack
Product Updates

Am I Under Attack: Cut Through the Noise to Detect Sophisticated and Targeted Attacks with CrowdSec’s New feature

Am I Under Attack leverages advanced AI algorithms to detect anomalies in your logs indicating more sophisticated or targeted attacks.

new and advanced ip lookup search
Product Updates

Introducing the New and Advanced IP Lookup Search

In a previous article, we introduced the CTI Report, this time, we are taking it a step further and introducing new and advanced search options for our IP lookup.  You now have access to multiple search options to accurately and effectively explore the CrowdSec CTI.   Let’s take a look. IP lookup search These new search […]

Discover CrowdSec’s Free Third-Party Blocklists
Product Updates

Discover CrowdSec’s Free Third-Party Blocklists

In case you missed it, we recently announced the new Blocklists Catalog in the CrowdSec Console. In the catalog, you can find several blocklists centralized in one place, including third-party blocklists that are free to all users.  All users on the CrowdSec Console can subscribe their Security Engines to third-party blocklists to secure their systems […]