diff --git a/crowdsec-docs/sidebarsUnversioned.ts b/crowdsec-docs/sidebarsUnversioned.ts index b032bb9f4..4c7906bdb 100644 --- a/crowdsec-docs/sidebarsUnversioned.ts +++ b/crowdsec-docs/sidebarsUnversioned.ts @@ -591,6 +591,11 @@ const sidebarsUnversionedConfig: SidebarConfig = { id: "troubleshooting/intro", label: "Introduction", }, + { + type: "doc", + id: "troubleshooting/usecases", + label: "Use Cases", + }, { type: "doc", id: "troubleshooting/security_engine", diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx new file mode 100644 index 000000000..cb8e25866 --- /dev/null +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -0,0 +1,256 @@ +--- +toc_max_heading_level: 2 +title: Use Cases and Quick Solutions +id: usecases +--- + +# Use Cases and Quick Solutions + +This page provides quick recommendations for common CrowdSec implementation scenarios. Each use case includes practical implementation paths with links to relevant documentation. + +:::tip +New to CrowdSec? Start with our [installation guide](/u/getting_started/installation/linux) and [health check guide](/u/getting_started/health_check). +::: + +## Block Known-Bad IPs at the Edge + +Pull up-to-date IP lists from CrowdSec **Blocklist as a Service** endpoints into your edge protection. + +**Is it for me?** + +Ideal if you want direct integration into your firewalls. +Good option if you are not using a Security Engine and want your CDN or WAF to benefit from CrowdSec's blocklists. + +**How it works:** +- Create a blocklist integration in your console account. +- Select blocklists you want to be served by this endpoints. +- Use the endpoint's URL and credentials to retrieve the merged and up-to-date list. + + +**References** +- [Blocklist integration Getting started guide](/u/integrations/intro) +- [Subscribing to blocklists](/u/console/blocklists/subscription/) +- [List of integrations format](/u/integrations/intro#current-integrations) +- 🏅 [API management & creating your own blocklists](/u/console/service_api/quickstart/blocklists) +- *Variation:* Integration into CDN/WAF via a **remediation component**: + - [Remediation Component BLaaS integration](/u/integrations/remediationcomponent) + - [AWF WAF remediation component](/u/bouncers/aws_waf) + - [Cloudflare Workers remediation component](/u/bouncers/cloudflare-workers) + - [Fastly remediation component](/u/bouncers/fastly) + +--- + +## Reduce Noise to save Resources address alert fatigue + +Eliminate automated noise from unwanted probes, spam and malicious traffic to reduce server load and log volumes by up to 80%. + +**Is it for me?** + +Ideal if you're experiencing high server load from automated traffic or want to reduce infrastructure costs. +Good option if you need to optimize server performance and reduce log storage requirements. + +**How it works:** +- Use CrowdSec blocklists to preemptively block crowd validated noise. +- Go further by deploying CrowdSec Security Engine to detect malicious patterns in your traffic. +- Use an AppSec enabled Remediation Component to use CrowdSec WAF. +- Track quantified savings through metrics and performance monitoring. + +**References** +- [Blocklist Catalog doc](/u/console/blocklists/catalog) +- [Blocklist Catalog ↗️](https://app.crowdsec.net/blocklists/search) +- [Security Engine installation](/u/getting_started/intro) +- [CrowdSec WAF](/appsec/intro) +- [Remediation Metrics](/u/console/remediation_metrics) + +--- + +## Multi-Tenant Protection + +Apply different security policies per customer, application, tier, [...] retrieving contextualized IP Lists. + +**Is it for me?** + +Ideal if you're managing multiple customers, applications, or environments with different security requirements. +Good option if you need granular policy control and want to avoid cross-tenant security policy interference. + +**How it works:** +- Configure separate blocklist integrations for each context. +- Assign context-specific blocklist AND allowlists. +- Go further by creating custom lists based on detections made on your infrastructure. + +**References** +- [Blocklist integration Getting started guide](/u/integrations/intro) +- [Blocklist Catalog doc](/u/console/blocklists/catalog) +- [Blocklist Catalog ↗️](https://app.crowdsec.net/blocklists/search) +- [Custom blocklists from the decisions of your Security engine ↗️](https://github.com/crowdsecurity/custom-bouncer-to-blocklist) + +--- + +## Looking for complementary IOC streams + +Add qualified IOCs from CrowdSec's real-time IP reputation. + +**Is it for me?** + +Ideal if you want to complement your IOC insights with exclusive CrowdSec IP reputation data. +Quickly choose among qualified malicious actors regrouped by industry, behaviors... + +**How it works:** +- Stream CrowdSec IP Lists into your security tools. +- Integrate directly in your security tools thanks to our integrations or easy to use CTI API. +- 🏅 Get custom IOC streams made for your needs. +- Next step: Enrich IPs via CrowdSec CTI API. + + +**References** +- [IP reputation lists / Blocklists Catalog doc ↗️](https://app.crowdsec.net/blocklists/search) +- [Retrieving merged lists via HTTPS endpoints](/u/integrations/intro) +- [Retrieving Blocklists via API](/u/console/service_api/quickstart/blocklists#download-blocklist-content) +- [MISP Feed from Security Engine's alerts](https://doc.crowdsec.net/u/bouncers/misp-feed-generator) +- [Upcoming CrowdSec MISP Feeds ↗️](https://roadmap.crowdsec.net/c/48-misp-feed) +- [Contact Us for custom requests ↗️](https://www.crowdsec.net/business-requests?interest=CTI%20subscription)) + +--- + +## Bot and Scraper Management + +Control aggressive crawlers and scraping tools while preserving legitimate user access using graduated response strategies. + +**Is it for me?** + +Ideal if you're dealing with aggressive bots or scrapers that impact your site performance. +Good option if you want to prevent illegitimate AI crawlers from visiting your site. + +**How it works:** +- Retrieve AI Crawlers and/or Botnets IPs from CrowdSec Blocklist integrations +- Block at the edge using your firewall or CDN. + +**References** +- [⬆️ **Blocking at the edge section**](#blocking-at-the-edge) +- [Custom scenario creation](/docs/next/scenarios/create) +- [AI Crawlers Blocklist ↗️](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) +- [Currated Botnet Actors ↗️](https://app.crowdsec.net/blocklists/65a56c160469607d9badb813) +- [Public Internet Scanners ↗️](https://app.crowdsec.net/blocklists/65f972eb807e06de7a0e3e65) + +--- + +## Block Common web attacks fast + +Quickly protect web applications from the latest CVEs and generic vulnerability exploits using CrowdSec WAF. + +**Is it for me?** + +Ideal if you want a modern OpenSource WAF solution. +Benefit from CrowdSec's Virtual patching catalog while being able to use your existing ModSecurity rules as is. + +**How it works:** +- Deploy CrowdSec Security Engine with AppSec module on your reverse proxy or web server. +- Get CrowdSec Virtual patching collection. +- Easily scale and identify behaviors accross multiple servers over time. +- Go further by using your existing appsec rules. +- Even test CRS rules out of band on your production traffic to easily adapt them to you needs. + + +**References** +- [Security Engine installation](/u/getting_started/intro) +- [CrowdSec WAF presentation](/appsec/intro) +- [Virtual Patching collection ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching) +- [CrowdSec WAF article ↗️](https://www.crowdsec.net/blog/crowdsec-waf-the-collaborative-future-of-web-application-security) + +--- + +## Legacy Application Protection + +Add modern security controls to legacy applications that cannot be modified directly using transparent proxy protection. + +**Is it for me?** + +Ideal if you're running legacy applications that lack built-in security features. +Good option if you need immediate protection without the risk of modifying critical legacy code. + +**How it works:** +- Deploy CrowdSec WAF at the reverse proxy level in front of your legacy application. +- Configure virtual patching rules to block known exploits targeting your application stack. +- Additionally create custom AppSec rules adapted to your legacy application's specific patterns. +- Test protection rules out of band (simulation mode) before enabling blocking to ensure application functionality. + +**References** +- [⬆️ **Block Common web attacks fast**](#block-common-web-attacks-fast) +- [Block right before your app code with PHP prepend](/u/bouncers/php) +- [Add blocking capabilities in your php app](/u/bouncers/php-lib) + +--- + +## Custom Behavior Protection + +Create targeted protections for specific abuse patterns like **spam**, **credential stuffing**, or **scalping attacks**, [...] using custom detection rules or scenarios. + +**Is it for me?** + +Ideal if you're facing unique attack patterns not covered by standard security solutions. +Good option if you need highly specific protection tailored to your application's business logic and user patterns. + +**How it works:** +- Analyze your specific abuse patterns to understand attacker behavior. +- Create custom scenarios using CrowdSec's scenario framework for behavioral detection. +- Eventually develop AppSec rules for pattern-matching specific malicious requests. +- Test custom rules thoroughly using explain mode and simulation before production deployment. + +**References** +- [⬆️ **Block Common web attacks fast**](#block-common-web-attacks-fast) +- [Custom scenario creation](/log_processor/scenarios/create) +- [Get help from the community ↗️](https://discord.gg/wGN7ShmEE8) +- [Example of custom detection: Impossible traveler ↗️](https://www.crowdsec.net/blog/detect-suspicious-ip-behavior-impossible-travel) +- [Success story: ScaleCommerce vs scalpers ↗️](https://www.crowdsec.net/blog/scalecommerce-plummets-ops-costs-and-skyrockets-efficiency) + +--- + +## Alert Enhancement and Triage + +Accelerate incident response with contextual threat intelligence and automated routing to reduce alert volume by up to 80%. + +**Is it for me?** + +Ideal if your SOC team is overwhelmed with security alerts and needs better context for prioritization. +Add exclusive context to your alerts and automate incident response with up to 30+ IP reputation enrichment dimensions. + +**How it works:** +- Consult CrowdSec CTI: per IP queries, advanced search on behavior, classifications or performed CVEs- Configure notification plugins to automatically enrich alerts with global threat intelligence context. +- Obtain your CTI API key from your CrowdSec Console account or a contact with CrowdSec team for higher quotas. +- Integrate it in your tools with out existing integrations or via simple calls to the API. +- 🏅 Advanced usages: API search, Offline replication, ... + +**References** +- [Explore CrowdSec CTI within the console](/u/cti_api/getting_started) +- [Create a test API key](/u/cti_api/api_getting_started) +- [IP reputation enrichment glossary](/u/cti_api/taxonomy/cti_object) +- [Evaluate your IPs using our **IPDEX** tool](/u/cti_api/api_integration/integration_ipdex/) +- [Contact Us for 🏅 advanced usage ↗️](https://www.crowdsec.net/business-requests?interest=CTI%20subscription) + +--- + +## Threat Hunting and Intelligence + +Enable proactive threat hunting with access to global intelligence from 190+ countries, often 7-60 days ahead of other vendors. + +**Is it for me?** + +Ideal if you have a threat hunting team that needs fresh, contextual intelligence for proactive security investigations. +Good option if you want to correlate local events with global attack patterns and emerging threats. + +**How it works:** +- Explore our CTI and CVE explorer +- Leverage advanced search capabilities to identify relevant threats and vulnerabilities. +- Go further using our CTI API to integrate threat intelligence into your existing workflows. + +**References** +- [⬆️ CTI related refs from **Alert Enhancement and Triage**](#alert-enhancement-and-triage) +- [CVE explorer](/u/cti_api/cve_explorer/) +- [IPDEX presentation article ↗️](https://www.crowdsec.net/blog/introducing-crowdsec-ipdex) +- [Follow our weekly vuln report on LinkedIn ↗️](https://www.linkedin.com/company/crowdsec/posts/?feedView=all) + +--- + +## Useful Links +- [CrowdSec Public Roadmap ↗️](https://roadmap.crowdsec.net/tabs/3-planned) +- [CrowdSecurity GitHub Repositories ↗️](https://github.com/crowdsecurity/)