CrowdSec Cyber Threat Intelligence


Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

CrowdSec Threat Intelligence is an open-source, collaborative security stack that enables you to analyze behaviors, respond to attacks, and share signals across the community. CrowdSec Threat Intelligence provides information about IP addresses and verification or identification of potentially aggressive IP addresses. You can use the CrowdSec Cyber Threat Intelligence (CrowdSec CTI) plugin with Microsoft Copilot for Security.

Set up the CrowdSec CTI plugin

Integration with Copilot for Security works with an API key. Depending on which account you have, you might have a limit of up to 50 queries per day. It depends on your licensing for CrowdSec.

  1. Get your CrowdSec API key. If you don't have one yet, follow these steps:

    1. Go to the CrowdSec website and create your account.

    2. In your personal account settings, go to API Keys and select + New key.

    3. Next to your key, select the Copy icon.

  2. Sign in to Microsoft Copilot for Security.

  3. Access Manage Plugins by selecting the Plugin button from the prompt bar.

  4. Next to CrowdSec Threat Intelligence, select Set up.

  5. In the Value field, paste your API Key, and then select Save.

Use the CrowdSec CTI plugin

After the CrowdSec CTI plugin is configured, you can use it by taking one of the following steps:

  • Access the skill directly by typing LookupIpAddressSmokeDataset in the prompt bar; or
  • Prompt Copilot for Security to use the CrowdSec Threat Intelligence API on an IP address

The following table summarizes how this skill works.

Skill What it does

Required Input: IP Address
Searches CrowdSec's dataset for an IP address to know more about:

- What it does in terms of observed behaviors, targeted protocols, and exploited vulnerabilities.

- In what categories it belongs, such as proxy/VPN, CDN exit node, and Legit security scanner.

- What it targets, in terms of countries or services.

- Existing cross-references, such as lists

- How virulent it is.

- For how long it's been reported by users.

- The confidence level of the information.

Troubleshoot the CTI plugin

Errors occur

If you encounter errors, such as Couldn't complete your request, or An unknown error occurred, make sure the plugin is turned on. If the issue persists, sign out of Copilot for Security, and then sign back in.

Prompts aren't invoking the correct skills

If prompts aren't invoking the correct skills, or prompts are invoking some other skill set, you might have custom plugins or other plugins that have similar functionality as the skill set you want to use. To prioritize and target CrowdSec, try disabling other custom plugins. Or, you can either use the product name CrowdSec in your prompts, or type the name of a specific skill, like LookupIpAddressSmokeDataset instead.

See also

Other plugins for Microsoft Copilot for Security

Manage plugins in Microsoft Copilot for Security