In a previous article, we introduced the CTI Report, this time, we are taking it a step further and introducing new and advanced search options for our IP lookup.
You now have access to multiple search options to accurately and effectively explore the CrowdSec CTI.
Let’s take a look.
IP lookup search
These new search options allow you to find all the IP addresses known in CrowdSec Threat Intelligence that match the parameters of your query. Previously, the search options allowed you to look up all the information related to a single IP. Now, you can set up a query and access information on multiple IPs matching your parameters.
All the available fields to query are documented in the CTI Documentation, or you can just use the field available in the response of the CTI API.
On the IP lookup homepage, we provide some examples of what you can find and the corresponding query. Feel free to use them as examples and to edit them to better suit your needs.
Let’s look at a simple example here. Assuming you want to see known Proxies or VPNs used for attacks, you can use the following corresponding query:
classifications.classifications.name:"crowdsec:ai_vpn_proxy" AND (reputation:malicious OR reputation:suspicious)
Note: We understand that the quarry syntax is not that intuitive at this stage but we are planning to release a V3 of the CTI API very soon that will make queries much simpler.
You can match an exact value for your query, but you can also use wildcards or regular expressions. For example, you can query all the IP addresses that have been reported for at least one CVE with the following wildcard query:
cves:CVE-*
Or you can query all IPs belonging to Amazon or Google with the following regular expressions:
as_name:/(amazon-02|google)/
You can find how to write advanced queries in the CrowdSec Search Queries documentation.
One thing to note, though: we haven’t released the auto-completion feature yet. However, this is the next step in improving the advanced IP lookup search, and it’s coming soon! Until then, when clicking on the search bar (when it’s empty), you will see all the available fields to query.
Advanced IP lookup search results
Let’s quickly explore the search results and decipher the information presented.
IP cards
Once you run your query, you will be redirected to the search results page, where you will get all the IP addresses you were looking for.
On this page, you will see a small card for each IP address that matches your search, the total number of results, and a left column with some facets. Each card will show the most important information about the IP address, such as the IP reputation, the last time we saw it in our database, the range, autonomous system, country, and some classifications and behaviors about the IP.
Note: You will see only 10 IP addresses per page, but you can go through as many pages as you like.
Facets
On the left side of the page, you will find a facets column .
These facets serve two purposes: they provide helpful statistics related to your query and allow you to refine and filter your search results by clicking on any facet value. This makes it much easier to adjust your query directly based on the data shown.
The facets display detailed stats to give you a clear overview of the top results. Here’s what you will see:
- Top 5 Autonomous System
- Top 5 Origin Countries
- Top 5 Classifications
- Top 5 Reputations
- Top 5 Behaviors
Although simple, this advanced IP lookup search can take your threat intelligence and threat hunting game to the next level! Go check out the new search options and reach out to us on Discord or Discourse with your feedback or any questions you might have.
Happy hunting!
Explore the CrowdSec CTI
Get detailed and curated insights on malicious IPs and their activity in on click.
Search an IP
