crowdsecurity
diff --git a/‎biome.json‎
Lines changed: 4 additions & 1 deletion b/‎biome.json‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎crowdsec-docs/docs/expr/other_helpers.md‎
Lines changed: 66 additions & 0 deletions b/‎crowdsec-docs/docs/expr/other_helpers.md‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎crowdsec-docs/docs/log_processor/scenarios/deploy.md‎
Lines changed: 34 additions & 0 deletions b/‎crowdsec-docs/docs/log_processor/scenarios/deploy.md‎
Lines changed: 34 additions & 0 deletions
@@ -1,6 +1,6 @@
 {
 	"root": true,
-	"$schema": "https://biomejs.dev/schemas/2.2.0/schema.json",
+	"$schema": "https://biomejs.dev/schemas/2.3.2/schema.json",
 	"vcs": { "enabled": false, "clientKind": "git", "useIgnoreFile": false },
 	"files": {
 		"ignoreUnknown": false,
@@ -57,6 +57,9 @@
 	},
 	"html": { "formatter": { "selfCloseVoidElements": "always" } },
 	"css": {
+		"parser": {
+			"tailwindDirectives": true
+		},
 		"formatter": {
 			"enabled": true,
 			"indentStyle": "tab",
 
@@ -20,6 +20,72 @@ ParseUnix("notatimestamp") -> ""
 ```
 Parses unix timestamp string and returns RFC3339 formatted time
 
+### `AverageInterval(timestamps []time.Time) time.Duration`
+
+Calculates the average interval (time duration) between consecutive timestamps in a slice.
+
+**Use case:** Detecting consistent timing patterns over time, such as slow brute-force attacks or rate anomalies.
+
+**Example:**
+
+```yaml
+type: conditional
+name: me/slow-http
+debug: true
+description: "Detect slow HTTP requests returning 404"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Parsed.static_ressource == 'false' && evt.Parsed.verb in ['GET', 'HEAD']"
+groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
+capacity: -1
+condition: |
+    len(queue.Queue) >= 3 &&
+    AverageInterval(map(queue.Queue[-3:], { #.Time })) > duration("5m") &&
+    all(queue.Queue, #.Meta.http_status == '404')
+leakspeed: 1h
+labels:
+  remediation: true
+```
+
+In this example, we check if the queue has at least 3 items, compute the average interval between the last 3 requests, and trigger if the average time between requests exceeds 5 minutes and all responses are 404s (indicating a slow scan).
+
+**Notes:**
+- Timestamps are automatically sorted internally for correctness
+- Requires at least two timestamps
+- Useful for detecting consistent behavior patterns over time
+
+### `MedianInterval(timestamps []time.Time) time.Duration`
+
+Calculates the median interval (time duration) between consecutive timestamps in a slice.
+
+**Use case:** Detecting typical timing patterns when intervals vary widely. The median is more robust against outliers than the average, making it ideal for identifying timing anomalies in irregular patterns.
+
+**Example:**
+
+```yaml
+type: conditional
+name: me/slow-http-median
+debug: true
+description: "Detect slow HTTP requests returning 404"
+filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Parsed.static_ressource == 'false' && evt.Parsed.verb in ['GET', 'HEAD']"
+groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
+capacity: -1
+condition: |
+    len(queue.Queue) >= 5 &&
+    MedianInterval(map(queue.Queue[-5:], { #.Time })) > duration("10m") &&
+    all(queue.Queue, #.Meta.http_status == '404')
+leakspeed: 1h
+labels:
+  remediation: true
+```
+
+In this example, we check if there are at least 5 events in the queue, calculate the median interval between the last 5 requests, and trigger if the median interval exceeds 10 minutes and all responses are 404s.
+
+**Notes:**
+- Timestamps are automatically sorted internally for correctness
+- Handles both even and odd numbers of intervals correctly
+- Requires at least two timestamps
+- More robust against outliers compared to `AverageInterval`
+- Useful for capturing typical timing patterns in skewed data
+
 ## Stash Helpers
 
 ### `GetFromStash(cache string, key string)`
 
@@ -0,0 +1,34 @@
+---
+id: deploy
+title: Deploy
+sidebar_position: 4
+---
+
+:::warning
+
+This documentation mostly focus on installation of custom scenarios. Scenarios from the hub should be installed as a part of the collection, by using `cscli collections install <collection-name>`. Installing scenarios directly with `cscli scenario install <scenario-name>` might lead to unexpected results because of missing dependencies (ie. parsers, enrichers, post-overflows etc.)
+
+:::
+
+
+## Deployment
+
+### Installation
+
+To deploy a scenario, simply copy it to `/etc/crowdsec/scenarios/`.
+
+### Verification
+
+Use `cscli scenarios list` to view all your installed scenarios:
+
+- `Name` presents the `name` field of the yaml file.
+- `Version` represents the version of the scenario according to the hub. Versions increment on upstream changes.
+- `Local path` represents the local path to the scenario file.
+- `📦 Status` indicates the state:
+
+| Status | Description |
+|--------|-------------|
+| `✔️  enabled` | Scenario is from the hub and up-to-date |
+| `🏠  enabled,local` | This is a custom scenario |
+| `⚠️  enabled,tainted` | This is an upstream scenario that has been modified |
+