Simplify Threat Detection with Alert Context

Understanding the triggers behind a security alert is crucial for smooth security operations and simplifying threat detection.

This is the main motivation behind CrowdSec’s new feature Alert Context.

Only seeing limited amount of information (i.e., source of threat, attack scenario, and timestamp) is often not enough for teams to properly decipher their security alerts. That is why we decided to introduce a new feature for the CrowdSec Console, Alert Context.

Often, a single CrowdSec Security Engine will be used to protect a wide perimeter, and getting more precise information about what specifically is under attack and via what vector is a crucial part of threat analysis and automation.

For example: 

• A very basic usage is identifying which log file(s) were involved in detecting the threat.
• When hosting multiple sites, understanding what Fully Qualified Domain Name (FQDN) and path is being targeted by the attack can potentially mean you have a vulnerable URL.
• You can identify more serious threats among the noise, namely, what users are being targeted for brute force attempts (generic admin names or potentially compromised accounts)
• Watch sensible resources under attack with the ability to have the http_path in the context

In this article, I’ll show you how to set up the Alert Context feature and how to visualize the context for your alerts.

Add context to your alerts

The context of an alert can be extracted from any metadata that was locally parsed to identify malicious activity and trigger an alert via your installed scenarios.

You can refer to our documentation to learn more about contextualizing alerts.

Prerequisites

This feature is available since version 1.5 of our Security Engine.

You can check your version using the command sudo cscli version.

The context available to you depends on the parsers that came along the collections or scenarios you installed. In order to know what context is available to you use the command sudo cscli lapi context detect –all and you’ll get the list of metadata values for each available parser, looking something similar to this:

Acquisition :

  - evt.Line.Module
  - evt.Line.Raw
  - evt.Line.Src

crowdsecurity/http-logs :

  - evt.Meta.http_path
[...]

crowdsecurity/nginx-logs :

  - evt.Meta.http_path
  - evt.Meta.http_status
  - evt.Meta.http_user_agent
  - evt.Meta.target_fqdn
[...]

crowdsecurity/sshd-logs :

  - evt.Meta.log_type
  - evt.Meta.source_ip
  - evt.Meta.target_user
 [...]

Setting up the context map for your alerts

To add context to your alerts, you can do so by using the sudo cscli lapi context add command like so:

>> sudo cscli lapi context add --key target_user --value evt.Meta.target_user
INFO[26-06-2023 19:38:01] key 'target_user' added                      
INFO[26-06-2023 19:38:01] value 'evt.Meta.target_user' added to key 'target_user' 
INFO[26-06-2023 19:38:01] /etc/crowdsec/console/context.yaml file saved

Alerts raised after the addition of context will contain the value of that metadata if it was populated by the workflow leading to this alert.

Here is a list of contexts commonly added for http and ssh parsers:

sudo cscli lapi context add  --key  http_path --value  evt.Meta.http_path
sudo cscli lapi context add  --key  http_status --value  evt.Meta.http_status
sudo cscli lapi context add  --key  http_user_agent --value  evt.Meta.http_user_agent
sudo cscli lapi context add  --key  http_verb --value  evt.Meta.http_verb
sudo cscli lapi context add  --key  log_type --value  evt.Meta.log_type
sudo cscli lapi context add  --key  target_fqdn --value  evt.Meta.target_fqdn
sudo cscli lapi context add  --key  auth --value  evt.Parsed.auth
sudo cscli lapi context add  --key  clientip --value  evt.Parsed.clientip
sudo cscli lapi context add  --key  httpversion --value  evt.Parsed.httpversion
sudo cscli lapi context add  --key  port --value  evt.Parsed.port
sudo cscli lapi context add  --key  referrer --value  evt.Parsed.referrer
sudo cscli lapi context add  --key  file_dir --value  evt.Parsed.file_dir
sudo cscli lapi context add  --key  file_ext --value  evt.Parsed.file_ext
sudo cscli lapi context add  --key  file_frag --value  evt.Parsed.file_frag
sudo cscli lapi context add  --key  file_name --value  evt.Parsed.file_name
sudo cscli lapi context add  --key  http_args --value  evt.Parsed.http_args
sudo cscli lapi context add  --key  datasource_path --value  evt.Meta.datasource_path
sudo cscli lapi context add  --key  datasource_type --value  evt.Meta.datasource_type
sudo cscli lapi context add  --key  target_user --value  evt.Meta.target_user
sudo cscli lapi context add  --key  machine --value  evt.Meta.machine
sudo cscli lapi context add  --key  username --value  evt.Meta.username
sudo cscli lapi context add  --key  computer --value  evt.Parsed.Computer
sudo cscli lapi context add  --key  usersid --value  evt.Parsed.UserSID

Visualize alert context

As always, you can use our cscli tool view alert context, as well as display them in the Console, giving you more control over your visualization.

Get the context of an alert via command line

Visualize the context of alerts using the following command:

sudo cscli alerts inspect

Notice here the multiple targeted users for this brute force attempts — they look pretty generic, typical of random bot attacks. If one of them looked like a legitimate user, or worse, if it was an actual user on this server we could identify this threat as targeted and should investigate the potentially compromised identity or credentials of this user.

Get better insights via the console

In order to send context to the console you’ll need to enable this communication and restart the Security Engine using the following commands:

sudo cscli console enable context and then sudo systemctl reload crowdsec.

>> sudo cscli console enable context
INFO[28-06-2023 20:57:22] [context] have been enabled                  
INFO[28-06-2023 20:57:22] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective. 
>> sudo systemctl reload crowdsec

From that point on, new alerts reaching the Console will be enriched with the context.

After displaying the context column in you Alert View, this is what you should expect to see for those alerts:

In addition to all previously existing filters, you can filter your alerts using the key or key+value options of the context in order to better investigate malicious activity.

Summing up

We have developed this feature in response to valuable user feedback and detailed exchanges about their specific use cases. Your insights are essential for us to continue evolving, so please don’t hesitate to reach out through the feedback options in the console or message us on our community platforms on Discord and Discourse.