Simplify Threat Detection with Alert Context
Understanding the triggers behind a security alert is crucial for smooth security operations and simplifying threat detection.
This is the main motivation behind CrowdSec’s new feature Alert Context.
Only seeing limited amount of information (i.e., source of threat, attack scenario, and timestamp) is often not enough for teams to properly decipher their security alerts. That is why we decided to introduce a new feature for the CrowdSec Console, Alert Context.
Often, a single CrowdSec Security Engine will be used to protect a wide perimeter, and getting more precise information about what specifically is under attack and via what vector is a crucial part of threat analysis and automation.
- A very basic usage is identifying which log file(s) were involved in detecting the threat.
- When hosting multiple sites, understanding what Fully Qualified Domain Name (FQDN) and path is being targeted by the attack can potentially mean you have a vulnerable URL.
- You can identify more serious threats among the noise, namely, what users are being targeted for brute force attempts (generic admin names or potentially compromised accounts)
- Watch sensible resources under attack with the ability to have the http_path in the context
In this article, I’ll show you how to set up the Alert Context feature and how to visualize the context for your alerts.
Add context to your alerts
The context of an alert can be extracted from any metadata that was locally parsed to identify malicious activity and trigger an alert via your installed scenarios.
You can refer to our documentation to learn more about contextualizing alerts.
This feature is available since version 1.5 of our Security Engine.
You can check your version using the command sudo cscli version.
The context available to you depends on the parsers that came along the collections or scenarios you installed. In order to know what context is available to you use the command sudo cscli lapi context detect –all and you’ll get the list of metadata values for each available parser, looking something similar to this:
Setting up the context map for your alerts
To add context to your alerts, you can do so by using the sudo cscli lapi context add command like so:
Alerts raised after the addition of context will contain the value of that metadata if it was populated by the workflow leading to this alert.
Here is a list of contexts commonly added for http and ssh parsers:
Visualize alert context
As always, you can use our cscli tool view alert context, as well as display them in the Console, giving you more control over your visualization.
Get the context of an alert via command line
Visualize the context of alerts using the following command:
sudo cscli alerts inspect <alertId>
Notice here the multiple targeted users for this brute force attempts — they look pretty generic, typical of random bot attacks. If one of them looked like a legitimate user, or worse, if it was an actual user on this server we could identify this threat as targeted and should investigate the potentially compromised identity or credentials of this user.
Get better insights via the console
In order to send context to the console you’ll need to enable this communication and restart the Security Engine using the following commands:
sudo cscli console enable context and then sudo systemctl reload crowdsec.
From that point on, new alerts reaching the Console will be enriched with the context.
After displaying the context column in you Alert View, this is what you should expect to see for those alerts:
In addition to all previously existing filters, you can filter your alerts using the key or key+value options of the context in order to better investigate malicious activity.
We have developed this feature in response to valuable user feedback and detailed exchanges about their specific use cases. Your insights are essential for us to continue evolving, so please don't hesitate to reach out through the feedback options in the console or message us on our community platforms on Discord and Discourse.