|
| 1 | +--- |
| 2 | +toc_max_heading_level: 2 |
| 3 | +title: Use Cases and Quick Solutions |
| 4 | +id: usecases |
| 5 | +--- |
| 6 | + |
| 7 | +# Use Cases and Quick Solutions |
| 8 | + |
| 9 | +This page provides quick recommendations for common CrowdSec implementation scenarios. Each use case includes practical implementation paths with links to relevant documentation. |
| 10 | + |
| 11 | +:::tip |
| 12 | +New to CrowdSec? Start with our [installation guide](/u/getting_started/installation/linux) and [health check guide](/u/getting_started/health_check). |
| 13 | +::: |
| 14 | + |
| 15 | +## Block Known-Bad IPs at the Edge |
| 16 | + |
| 17 | +Pull up-to-date IP lists from CrowdSec **Blocklist as a Service** endpoints into your edge protection. |
| 18 | + |
| 19 | +**Is it for me?** |
| 20 | + |
| 21 | +Ideal if you want direct integration into your firewalls. |
| 22 | +Good option if you are not using a Security Engine and want your CDN or WAF to benefit from CrowdSec's blocklists. |
| 23 | + |
| 24 | +**How it works:** |
| 25 | +- Create a blocklist integration in your console account. |
| 26 | +- Select blocklists you want to be served by this endpoints. |
| 27 | +- Use the endpoint's URL and credentials to retrieve the merged and up-to-date list. |
| 28 | + |
| 29 | + |
| 30 | +**References** |
| 31 | +- [Blocklist integration Getting started guide](/u/integrations/intro) |
| 32 | +- [Subscribing to blocklists](/u/console/blocklists/subscription/) |
| 33 | +- [List of integrations format](/u/integrations/intro#current-integrations) |
| 34 | +- 🏅 [API management & creating your own blocklists](/u/console/service_api/quickstart/blocklists) |
| 35 | +- *Variation:* Integration into CDN/WAF via a **remediation component**: |
| 36 | + - [Remediation Component BLaaS integration](/u/integrations/remediationcomponent) |
| 37 | + - [AWF WAF remediation component](/u/bouncers/aws_waf) |
| 38 | + - [Cloudflare Workers remediation component](/u/bouncers/cloudflare-workers) |
| 39 | + - [Fastly remediation component](/u/bouncers/fastly) |
| 40 | + |
| 41 | +--- |
| 42 | + |
| 43 | +## Reduce Noise to save Resources address alert fatigue |
| 44 | + |
| 45 | +Eliminate automated noise from unwanted probes, spam and malicious traffic to reduce server load and log volumes by up to 80%. |
| 46 | + |
| 47 | +**Is it for me?** |
| 48 | + |
| 49 | +Ideal if you're experiencing high server load from automated traffic or want to reduce infrastructure costs. |
| 50 | +Good option if you need to optimize server performance and reduce log storage requirements. |
| 51 | + |
| 52 | +**How it works:** |
| 53 | +- Use CrowdSec blocklists to preemptively block crowd validated noise. |
| 54 | +- Go further by deploying CrowdSec Security Engine to detect malicious patterns in your traffic. |
| 55 | +- Use an AppSec enabled Remediation Component to use CrowdSec WAF. |
| 56 | +- Track quantified savings through metrics and performance monitoring. |
| 57 | + |
| 58 | +**References** |
| 59 | +- [Blocklist Catalog doc](/u/console/blocklists/catalog) |
| 60 | +- [Blocklist Catalog ↗️](https://app.crowdsec.net/blocklists/search) |
| 61 | +- [Security Engine installation](/u/getting_started/intro) |
| 62 | +- [CrowdSec WAF](/appsec/intro) |
| 63 | +- [Remediation Metrics](/u/console/remediation_metrics) |
| 64 | + |
| 65 | +--- |
| 66 | + |
| 67 | +## Multi-Tenant Protection |
| 68 | + |
| 69 | +Apply different security policies per customer, application, tier, [...] retrieving contextualized IP Lists. |
| 70 | + |
| 71 | +**Is it for me?** |
| 72 | + |
| 73 | +Ideal if you're managing multiple customers, applications, or environments with different security requirements. |
| 74 | +Good option if you need granular policy control and want to avoid cross-tenant security policy interference. |
| 75 | + |
| 76 | +**How it works:** |
| 77 | +- Configure separate blocklist integrations for each context. |
| 78 | +- Assign context-specific blocklist AND allowlists. |
| 79 | +- Go further by creating custom lists based on detections made on your infrastructure. |
| 80 | + |
| 81 | +**References** |
| 82 | +- [Blocklist integration Getting started guide](/u/integrations/intro) |
| 83 | +- [Blocklist Catalog doc](/u/console/blocklists/catalog) |
| 84 | +- [Blocklist Catalog ↗️](https://app.crowdsec.net/blocklists/search) |
| 85 | +- [Custom blocklists from the decisions of your Security engine ↗️](https://github.com/crowdsecurity/custom-bouncer-to-blocklist) |
| 86 | + |
| 87 | +--- |
| 88 | + |
| 89 | +## Looking for complementary IOC streams |
| 90 | + |
| 91 | +Add qualified IOCs from CrowdSec's real-time IP reputation. |
| 92 | + |
| 93 | +**Is it for me?** |
| 94 | + |
| 95 | +Ideal if you want to complement your IOC insights with exclusive CrowdSec IP reputation data. |
| 96 | +Quickly choose among qualified malicious actors regrouped by industry, behaviors... |
| 97 | + |
| 98 | +**How it works:** |
| 99 | +- Stream CrowdSec IP Lists into your security tools. |
| 100 | +- Integrate directly in your security tools thanks to our integrations or easy to use CTI API. |
| 101 | +- 🏅 Get custom IOC streams made for your needs. |
| 102 | +- Next step: Enrich IPs via CrowdSec CTI API. |
| 103 | + |
| 104 | + |
| 105 | +**References** |
| 106 | +- [IP reputation lists / Blocklists Catalog doc ↗️](https://app.crowdsec.net/blocklists/search) |
| 107 | +- [Retrieving merged lists via HTTPS endpoints](/u/integrations/intro) |
| 108 | +- [Retrieving Blocklists via API](/u/console/service_api/quickstart/blocklists#download-blocklist-content) |
| 109 | +- [MISP Feed from Security Engine's alerts](https://doc.crowdsec.net/u/bouncers/misp-feed-generator) |
| 110 | +- [Upcoming CrowdSec MISP Feeds ↗️](https://roadmap.crowdsec.net/c/48-misp-feed) |
| 111 | +- [Contact Us for custom requests ↗️](https://www.crowdsec.net/business-requests?interest=CTI%20subscription)) |
| 112 | + |
| 113 | +--- |
| 114 | + |
| 115 | +## Bot and Scraper Management |
| 116 | + |
| 117 | +Control aggressive crawlers and scraping tools while preserving legitimate user access using graduated response strategies. |
| 118 | + |
| 119 | +**Is it for me?** |
| 120 | + |
| 121 | +Ideal if you're dealing with aggressive bots or scrapers that impact your site performance. |
| 122 | +Good option if you want to prevent illegitimate AI crawlers from visiting your site. |
| 123 | + |
| 124 | +**How it works:** |
| 125 | +- Retrieve AI Crawlers and/or Botnets IPs from CrowdSec Blocklist integrations |
| 126 | +- Block at the edge using your firewall or CDN. |
| 127 | + |
| 128 | +**References** |
| 129 | +- [⬆️ **Blocking at the edge section**](#blocking-at-the-edge) |
| 130 | +- [Custom scenario creation](/docs/next/scenarios/create) |
| 131 | +- [AI Crawlers Blocklist ↗️](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) |
| 132 | +- [Currated Botnet Actors ↗️](https://app.crowdsec.net/blocklists/65a56c160469607d9badb813) |
| 133 | +- [Public Internet Scanners ↗️](https://app.crowdsec.net/blocklists/65f972eb807e06de7a0e3e65) |
| 134 | + |
| 135 | +--- |
| 136 | + |
| 137 | +## Block Common web attacks fast |
| 138 | + |
| 139 | +Quickly protect web applications from the latest CVEs and generic vulnerability exploits using CrowdSec WAF. |
| 140 | + |
| 141 | +**Is it for me?** |
| 142 | + |
| 143 | +Ideal if you want a modern OpenSource WAF solution. |
| 144 | +Benefit from CrowdSec's Virtual patching catalog while being able to use your existing ModSecurity rules as is. |
| 145 | + |
| 146 | +**How it works:** |
| 147 | +- Deploy CrowdSec Security Engine with AppSec module on your reverse proxy or web server. |
| 148 | +- Get CrowdSec Virtual patching collection. |
| 149 | +- Easily scale and identify behaviors accross multiple servers over time. |
| 150 | +- Go further by using your existing appsec rules. |
| 151 | +- Even test CRS rules out of band on your production traffic to easily adapt them to you needs. |
| 152 | + |
| 153 | + |
| 154 | +**References** |
| 155 | +- [Security Engine installation](/u/getting_started/intro) |
| 156 | +- [CrowdSec WAF presentation](/appsec/intro) |
| 157 | +- [Virtual Patching collection ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching) |
| 158 | +- [CrowdSec WAF article ↗️](https://www.crowdsec.net/blog/crowdsec-waf-the-collaborative-future-of-web-application-security) |
| 159 | + |
| 160 | +--- |
| 161 | + |
| 162 | +## Legacy Application Protection |
| 163 | + |
| 164 | +Add modern security controls to legacy applications that cannot be modified directly using transparent proxy protection. |
| 165 | + |
| 166 | +**Is it for me?** |
| 167 | + |
| 168 | +Ideal if you're running legacy applications that lack built-in security features. |
| 169 | +Good option if you need immediate protection without the risk of modifying critical legacy code. |
| 170 | + |
| 171 | +**How it works:** |
| 172 | +- Deploy CrowdSec WAF at the reverse proxy level in front of your legacy application. |
| 173 | +- Configure virtual patching rules to block known exploits targeting your application stack. |
| 174 | +- Additionally create custom AppSec rules adapted to your legacy application's specific patterns. |
| 175 | +- Test protection rules out of band (simulation mode) before enabling blocking to ensure application functionality. |
| 176 | + |
| 177 | +**References** |
| 178 | +- [⬆️ **Block Common web attacks fast**](#block-common-web-attacks-fast) |
| 179 | +- [Block right before your app code with PHP prepend](/u/bouncers/php) |
| 180 | +- [Add blocking capabilities in your php app](/u/bouncers/php-lib) |
| 181 | + |
| 182 | +--- |
| 183 | + |
| 184 | +## Custom Behavior Protection |
| 185 | + |
| 186 | +Create targeted protections for specific abuse patterns like **spam**, **credential stuffing**, or **scalping attacks**, [...] using custom detection rules or scenarios. |
| 187 | + |
| 188 | +**Is it for me?** |
| 189 | + |
| 190 | +Ideal if you're facing unique attack patterns not covered by standard security solutions. |
| 191 | +Good option if you need highly specific protection tailored to your application's business logic and user patterns. |
| 192 | + |
| 193 | +**How it works:** |
| 194 | +- Analyze your specific abuse patterns to understand attacker behavior. |
| 195 | +- Create custom scenarios using CrowdSec's scenario framework for behavioral detection. |
| 196 | +- Eventually develop AppSec rules for pattern-matching specific malicious requests. |
| 197 | +- Test custom rules thoroughly using explain mode and simulation before production deployment. |
| 198 | + |
| 199 | +**References** |
| 200 | +- [⬆️ **Block Common web attacks fast**](#block-common-web-attacks-fast) |
| 201 | +- [Custom scenario creation](/log_processor/scenarios/create) |
| 202 | +- [Get help from the community ↗️](https://discord.gg/wGN7ShmEE8) |
| 203 | +- [Example of custom detection: Impossible traveler ↗️](https://www.crowdsec.net/blog/detect-suspicious-ip-behavior-impossible-travel) |
| 204 | +- [Success story: ScaleCommerce vs scalpers ↗️](https://www.crowdsec.net/blog/scalecommerce-plummets-ops-costs-and-skyrockets-efficiency) |
| 205 | + |
| 206 | +--- |
| 207 | + |
| 208 | +## Alert Enhancement and Triage |
| 209 | + |
| 210 | +Accelerate incident response with contextual threat intelligence and automated routing to reduce alert volume by up to 80%. |
| 211 | + |
| 212 | +**Is it for me?** |
| 213 | + |
| 214 | +Ideal if your SOC team is overwhelmed with security alerts and needs better context for prioritization. |
| 215 | +Add exclusive context to your alerts and automate incident response with up to 30+ IP reputation enrichment dimensions. |
| 216 | + |
| 217 | +**How it works:** |
| 218 | +- Consult CrowdSec CTI: per IP queries, advanced search on behavior, classifications or performed CVEs- Configure notification plugins to automatically enrich alerts with global threat intelligence context. |
| 219 | +- Obtain your CTI API key from your CrowdSec Console account or a contact with CrowdSec team for higher quotas. |
| 220 | +- Integrate it in your tools with out existing integrations or via simple calls to the API. |
| 221 | +- 🏅 Advanced usages: API search, Offline replication, ... |
| 222 | + |
| 223 | +**References** |
| 224 | +- [Explore CrowdSec CTI within the console](/u/cti_api/getting_started) |
| 225 | +- [Create a test API key](/u/cti_api/api_getting_started) |
| 226 | +- [IP reputation enrichment glossary](/u/cti_api/taxonomy/cti_object) |
| 227 | +- [Evaluate your IPs using our **IPDEX** tool](/u/cti_api/api_integration/integration_ipdex/) |
| 228 | +- [Contact Us for 🏅 advanced usage ↗️](https://www.crowdsec.net/business-requests?interest=CTI%20subscription) |
| 229 | + |
| 230 | +--- |
| 231 | + |
| 232 | +## Threat Hunting and Intelligence |
| 233 | + |
| 234 | +Enable proactive threat hunting with access to global intelligence from 190+ countries, often 7-60 days ahead of other vendors. |
| 235 | + |
| 236 | +**Is it for me?** |
| 237 | + |
| 238 | +Ideal if you have a threat hunting team that needs fresh, contextual intelligence for proactive security investigations. |
| 239 | +Good option if you want to correlate local events with global attack patterns and emerging threats. |
| 240 | + |
| 241 | +**How it works:** |
| 242 | +- Explore our CTI and CVE explorer |
| 243 | +- Leverage advanced search capabilities to identify relevant threats and vulnerabilities. |
| 244 | +- Go further using our CTI API to integrate threat intelligence into your existing workflows. |
| 245 | + |
| 246 | +**References** |
| 247 | +- [⬆️ CTI related refs from **Alert Enhancement and Triage**](#alert-enhancement-and-triage) |
| 248 | +- [CVE explorer](/u/cti_api/cve_explorer/) |
| 249 | +- [IPDEX presentation article ↗️](https://www.crowdsec.net/blog/introducing-crowdsec-ipdex) |
| 250 | +- [Follow our weekly vuln report on LinkedIn ↗️](https://www.linkedin.com/company/crowdsec/posts/?feedView=all) |
| 251 | + |
| 252 | +--- |
| 253 | + |
| 254 | +## Useful Links |
| 255 | +- [CrowdSec Public Roadmap ↗️](https://roadmap.crowdsec.net/tabs/3-planned) |
| 256 | +- [CrowdSecurity GitHub Repositories ↗️](https://github.com/crowdsecurity/) |
0 commit comments