CrowdSec CTI integrations: TheHive - MISP - OpenCTI

Introduction

At CrowdSec, thanks to our community collaborating together to detect attacks, we have managed to build the largest detection network in the world with over 10 million pieces of detailed information about attacks, updated in real-time.

We are proud of the quality of our data and advanced curation of signals due to:

• A wide qualitative network

• Real servers (not only honey pots)
• Located all over the world
• Being in every sector of activity

• An advanced expert system

• Multifactor trust index for our signal sources
• Partial cross-validation with a network of honeypots
• Advanced diversity and anomaly detection

But also due to our CTI API (with this API we enrich your security tools with our premium data) which can be integrated easily, almost anywhere.

Our CTI is available via our console at https://app.crowdsec.net

First integrations

With the help of the members from our community, and following some requests, we’re happy to introduce the three following integrations of our Cyber Threat Intelligence (CTI):

• TheHive - Cortex Analyzer
• MISP module
• OpenCTI connector

TheHive - Cortex Analyzer

We’d like to warmly thank the contributors from CERT Arkea for this integration.

The CrowdSec’s analyzer is included in the TheHive-Cortex Analyzers collection since version 3.2.0
They are ready to be used on your Observables.

You’ll find more information on how to use our analyzer in the official CrowdSec doc for TheHive-Cortext Analyzer

The presented data contains this information about the attacker:

• IP + IPrange
• Autonomous System (AS)
• Location
• First and Last sighting
  

• Classification & attacks its known for
• If it is or not a false positive
• Aggressiveness overall 
• Aggressiveness of past 1,7 and 30 days

MISP

Requested by the community, the CrowdSec MISP enrichment module will add information from our Cyber Threat Intelligence (CTI) to your MISP events.

You’ll find more information on how to install and use our module in the official CrowdSec doc for MISP enricher module.

The presented data contains this information about the attacker:

• IP + IPrange + Range score
• Reverse DNS
• AS Name and Number
• Location and coordinates
• Top 10 countries it’s attacking
• First and Last sighting
  

• Attacks its known for
• Triggered scenarios
• Trust on a scale of 0 to 5
  (Certainty that it’s a genuine attacker)
  

• Aggressiveness, threat, trust and anomaly scores (on a scale of 0 to 5)

• Overall
• And past 1,7,30 days

OpenCTI

Another request from the community, the CrowdSec OpenCTI connector provides information about the type of attacks and links with related CVEs.

You’ll find more information on how to install and use our connector in the official CrowdSec doc for OpenCTI connector.

The presented data contains this information about the attacker:

• IP + IPrangeReverse DNS
• Top 10 countries it’s attacking
• First and Last sighting
• Attacks its known for
  

• Triggered scenarios
• Related CVEs

What’s next?

As the network continues to grow the coverage of our detection expands.

With more coverage comes a better analysis of the attacks and we’ll be able to:

• Identify which IPs seem to be in coalition and from what specific infrastructure (VPN, proxy, botnet)
• Know what infrastructure or industries they are targeting
• Predict an attack from the rise of targeted activity

As the company and community grow we will encourage integration and collaboration with as many security solutions as possible in order to make the existing tools benefit from our network and expert system.

We’re looking forward to getting more enthusiastic requests to connect with CrowdSec!

You too can share your request and join the community:

Discord: https://discord.com/invite/crowdsec

Discourse: https://discourse.crowdsec.net/