Skip to content

Add overview description for CTI classification table - v2 #770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Apr 23, 2025
Merged

Add overview description for CTI classification table - v2 #770

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
eb92cc3
Add overview description for CTI classification table
mazzma12 Apr 22, 2025
0b14d29
Formatting
mazzma12 Apr 22, 2025
32cb8b4
fixup
mazzma12 Apr 22, 2025
a92c65b
simply the table
mazzma12 Apr 22, 2025
a54a604
fixup! simply the table
mazzma12 Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,19 @@ export const exclude = ["scanner:"]

<GithubIconRender url={classificationsURL}></GithubIconRender>

This classification page provides a taxonomy of IP addresses that exhibit potentially suspicious behaviors. These classifications are designed to help you identify and respond to various threat actors and malicious activities.
Classification of Threat Intelligence follows the format `*category:name*`, where category is a broad type of classification encapsulating different elements.
A summary of the main classification category is provided below, and you can use the search bar in the table to filter the classification you are looking for.

## Summary

* `hosts_malware:*`: IP identified as hosting live payloads associated with known malware families.
* `botnet:*`: IP associated with known botnets, based on the exploited CVE(s) and the payload they spread (e.g. Mirai).
* `profile:*`: Describe the services publicly exposed by the machine (e.g. `profile:insecure_services`).
* `ai-crawler:*`: AI company using to index the data used to train Large Language Models. Such companies (OpenAPI, ByteDance, Anthropic ... ) are heavy consumers of the internet bandwidth and result in a large amount of traffic. They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0).
* `ai-search:*`: AI search engine that is used by users to search the internet. They are coming from an AI agent, and are not used directly to train the AI models compared to the AI crawlers category. But the results is the same in terms of traffic load, as they can be part of an automation workflow. IPs can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0).
* `device:*`: The IP is associated with a device having known security weaknesses.
* `proxy:*`: Hosts identified as proxies based on the services they expose and/or their behaviour. IPs be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/65a56839ec04bcd4f51670be).
* `group:*`: Cohort of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time (experimental feature).

<TableRender
columns={columns}
Expand Down