Background Noise Filter is Now Available in CrowdSec Console


For larger infrastructures, reviewing blocked alerts through most cybersecurity software can be time-consuming especially when it is part of the day-to-day job. One can easily miss a critical alert, just because it is lost among all the others. This effect is usually referred to as “Alert Fatigue”. 

We’ve recently released a new UX feature aimed at saving you a lot of time reviewing the numerous alerts you may receive in the Console, by enabling a Background Noise (BN) filter that allows it to focus on specific attacks and increase productivity.

Background Noise filter is available on the top left corner of the visualizer
Background Noise filter enabled: 73% of the alerts were masked

This feature is now available in the Console for all the premium users and will improve their time efficiency at reviewing all their alerts. If you are a free user you can still find, in the top left corner, a glimpse of the number of signals you would exclude with this feature.

Enable the Background Noise filter by clicking on the top left corner of the visualizer. Available in both the summary and expanded view.


We define Background Noise (BN), sometimes also referred to as “Internet Background Radiation” as automatic and mild attacks that are perpetrated at a large scale, without a specific target, at a constant pace over time. It includes, for example, mass scanning, or brute-force attempts on popular services. This is the kind of automatic attack that typically targets a honeypot in mass scanning events, and is not specific to one domain or infrastructure in particular. 

To build the Background Noise filter relevant to this definition, we continuously analyze all our community data (yeah, that’s a lot!) and we evaluate 3 major criteria:

  • Scale: the number of watcher reports, as we assume BN emitters perform attacks on a large scale.
  • Diversity: the diversity of the watcher reporting in terms of IP ranges, Autonomous System Numbers (ASN), and countries. Background Noise emitters are likely to attack many countries and organizations while sticking to a particular attack type. We see IP ranges specialized in brute-forcing and others in spamming. Being reported should not be considered as BN. 
  • Timeline: the age and activity of a BN emitter in terms of lifetime and intensity. Large-scale scanners are usually well-established and perform mass scanning regularly for an extended period.

These criteria are turned into scores of 10 by continuously taking into account the distribution of the statistics in our database. The final BNS is just the average of the 3 intermediate scores and also ranges from 0 to 10, 10 meaning that this IP is performing non-targeted random attacks (noise). No black magic AI here: we can always track back to the source.

Next Steps

Currently, the filter available in the Console is only an on/off switch, but we plan to let the users tweak it at their own convenience in the future. Do you find it useful? Is there any other approach you would recommend? Please let us know using the feedback tool available directly on the Console.

You may also like

Discover CrowdSec’s Free Third-Party Blocklists
Product Updates

Discover CrowdSec’s Free Third-Party Blocklists

In case you missed it, we recently announced the new Blocklists Catalog in the CrowdSec Console. In the catalog, you can find several blocklists centralized in one place, including third-party blocklists that are free to all users.  All users on the CrowdSec Console can subscribe their Security Engines to third-party blocklists to secure their systems […]

Streamlining ELK Stack with CrowdSec via Syslog
Product Updates

Streamlining ELK Stack with CrowdSec via Syslog

By integrating CrowdSec with the ELK stack via Syslog, you can enhance your security monitoring capabilities and bolster your threat detection mechanisms.

Enabling Threat Hunting and Analysis with the Revamped CrowdSec CTI Report
Product Updates

Enabling Threat Hunting and Analysis with the Revamped CrowdSec CTI Report

We are introducing a much-needed revamp of the CrowdSec CTI report to empower threat hunters and analysts to swiftly locate vital threat information.