Edit

Share via


CrowdSec Cyber Threat Intelligence

CrowdSec Threat Intelligence is an open-source, collaborative security stack that enables you to analyze behaviors, respond to attacks, and share signals across the community. CrowdSec Threat Intelligence provides information about IP addresses and verification or identification of potentially aggressive IP addresses. You can use the CrowdSec Cyber Threat Intelligence (CrowdSec CTI) plugin with Microsoft Security Copilot.

This plugin allows users to enhance their IP investigations with threat intelligence sourced from CrowdSec and get insights such as:

  • Curated IP and IP range reputations
  • Background noise level assessment
  • Detailed records of malicious behaviors
  • MITRE techniques associated with the IP
  • Countries targeted by the attacker
  • Classification of the attacker
  • Historical activity and aggressiveness metrics (covering the past 24h, 7 days, 30 days, and overall)

Note

This article contains information about third-party plugins. This is provided to help complete integration scenarios. However, Microsoft does not provide troubleshooting support for third-party plugins. Contact the third-party vendor for support.

Know before you begin

Integration with Security Copilot works with an API key. You'll need to take the following steps before using the plugin.

Note

Depending on which account you have, you might have a limit of up to 50 queries per day. It depends on your licensing for CrowdSec.

  1. Get your CrowdSec API key. If you don't have one yet, follow these steps:

    1. Go to the CrowdSec website and create your free account.

    2. In your personal account settings, go to API Keys and select + New key. You can follow the [steps here] (https://doc.crowdsec.net/u/cti_api/integration_securitycopilot/)

  2. Sign in to Microsoft Security Copilot.

  3. Access Manage Plugins by selecting the Plugin button from the prompt bar.

  4. Next to CrowdSec Threat Intelligence, select Set up.

  5. In the Value field, paste your API Key, and then select Save.

Sample CrowdSec CTI prompts

After the CrowdSec CTI plugin is configured, you can use it by taking one of the following steps:

  • Access the capability directly by typing LookupIpAddressSmokeDataset in the prompt bar; or
  • Prompt Security Copilot to use the CrowdSec Threat Intelligence API on an IP address

The following table summarizes how this capability works.

Capability What it does
LookupIpAddressSmokeDataset

Example Prompt(s):
- What can CrowdSec tell me about this IP: [IP]
- According to CrowdSec what are the top targeted countries by this IP: [IP]
- Inputs: [IP]

Required Input: IP Address
Searches CrowdSec's dataset for an IP address to know more about:

- What it does in terms of observed behaviors, targeted protocols, and exploited vulnerabilities.

- In what categories it belongs, such as proxy/VPN, CDN exit node, and Legit security scanner.

- What it targets, in terms of countries or services.

- Existing cross-references, such as lists

- How virulent it is.

- For how long it's been reported by users.

- The confidence level of the information.

Troubleshoot the CTI plugin

Errors occur

If you encounter errors, such as Couldn't complete your request, or An unknown error occurred, make sure the plugin is turned on. If the issue persists, sign out of Security Copilot, and then sign back in.

Prompts aren't invoking the correct capabilities

If prompts aren't invoking the correct capabilities, or prompts are invoking some other capability set, you might have custom plugins or other plugins that have similar functionality as the capability set you want to use. You can either use the product name CrowdSec in your prompts, or type the name of a specific capability, like LookupIpAddressSmokeDataset instead.

Provide feedback

To provide feedback, contact CrowdSec through Discourse or using the support or feedback action directly in your CrowdSec Console.

See also

Non-Microsoft plugins for Microsoft Security Copilot

Manage plugins in Microsoft Security Copilot