From 974addd05c42ab5bd76a22b561c911f3e5188ed6 Mon Sep 17 00:00:00 2001 From: jdv Date: Tue, 12 Aug 2025 16:06:41 +0200 Subject: [PATCH 01/12] usecase page WIP --- .../unversioned/troubleshooting/usecases.mdx | 226 ++++++++++++++++++ 1 file changed, 226 insertions(+) create mode 100644 crowdsec-docs/unversioned/troubleshooting/usecases.mdx diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx new file mode 100644 index 000000000..b52fdcb8d --- /dev/null +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -0,0 +1,226 @@ +--- +title: Use Cases and Quick Solutions +id: usecases +--- + +# Use Cases and Quick Solutions + +This page provides quick recommendations for common CrowdSec implementation scenarios. Each use case includes practical implementation paths with links to relevant documentation. + +:::tip +New to CrowdSec? Start with our [installation guide](/u/getting_started/installation/linux) and [health check guide](/u/getting_started/health_check). +::: + +import FormattedTabs from '@site/src/components/formatted-tabs'; + +## Block Known-Bad IPs at the Edge + +**What this solves:** Stop commodity scanners, botnets and repeat offenders at the network edge before they reach your services. + +### Firewall Integration + +* **Appliance Integration** + * [OPNsense plugin setup](/docs/next/getting_started/install_crowdsec_opnsense) + * [FreeBSD/pfSense installation](/docs/next/getting_started/install_crowdsec_freebsd) + * [Managing bouncers with cscli](/docs/next/cscli/cscli_bouncers) + +* **OS Firewall Integration** + * Configure your system firewall to consume CrowdSec decisions + * Use blocklist integrations for automated IP blocking + +### Reverse Proxy/WAF Integration + +* **NGINX Reverse Proxy** + * [WAF reverse proxy setup guide](/u/user_guides/waf_rp_howto) + * [AppSec configuration](/docs/next/appsec/configuration) + * [NGINX bouncer documentation](/u/bouncers/nginx) + +* **CDN/WAF Integration** + * Configure your CDN or WAF to consume CrowdSec blocklists + * Use bouncer components for real-time blocking + +### Security Engine Integration + +* **Blocklist Subscriptions** + * [Monitor with cscli metrics](/docs/next/cscli/cscli_metrics) + * [Manage decisions](/docs/next/cscli/cscli_decisions_list) + * [Dashboard setup](/docs/next/cscli/cscli_dashboard) + * Evaluate blocklist impact before full deployment + +--- + +## Reduce Resource Consumption + +**What this solves:** Eliminate automated noise, 404 probes, and malicious traffic to reduce server load and log volumes. + +### Implementation Options + +* Use any of the edge blocking methods described above +* [Enable monitoring dashboards](/docs/next/cscli/cscli_dashboard) to measure impact +* Track metrics with [cscli metrics](/docs/next/cscli/cscli_metrics) to quantify resource savings + +--- + +## Multi-Tenant Protection + +**What this solves:** Apply different security policies per customer, application, or environment without policy conflicts. + +### Implementation Approaches + +* **Custom Lists per Tenant** + * [Configure centralized allowlists](/docs/next/local_api/centralized_allowlists) + * [Filter decisions by origin or scenario](/docs/next/cscli/cscli_decisions_delete) + * Use separate integration URLs for different tenant policies + +* **Environment Isolation** + * [Manage contexts with cscli](/docs/next/cscli/cscli_contexts) + * [Configure collections per environment](/docs/next/cscli/cscli_collections) + * Separate AppSec rule sets by tenant requirements + +--- + +## SIEM/SOAR Integration + +**What this solves:** Enrich existing security tools with CrowdSec's threat intelligence and IOC streams. + +### IOC Management + +* **Import Custom IOCs** + * [Import decisions from CSV/JSON](/docs/next/cscli/cscli_decisions_import) + * Support for ban, captcha, and throttle actions + * Tag with custom origins for tracking + +* **Alert Enrichment** + * [Use CTI helpers in notification templates](/docs/next/notification_plugins/template_helpers) + * Automatically enrich alerts with threat intelligence + * [Configure notification plugins](/docs/next/notification_plugins/intro) + +* **MISP Integration** (Coming Soon) + * Bidirectional IOC exchange with MISP platforms + * Automated threat intelligence sharing + +--- + +## Web Application Protection + +**What this solves:** Quickly protect applications from OWASP Top-10 attacks and vulnerability probing. + +### AppSec Deployment + +* **Reverse Proxy WAF** + * [Complete WAF setup guide](/u/user_guides/waf_rp_howto) + * [AppSec configuration guide](/docs/next/appsec/configuration) + * [Virtual patching with AppSec rules](/docs/next/appsec/configuration) + +* **Quick Deployment** + * Install Security Engine on your reverse proxy + * Enable AppSec collections for common attack patterns + * Configure bouncer for real-time blocking + +--- + +## Bot and Scraper Management + +**What this solves:** Control aggressive crawlers and scraping tools while preserving legitimate user access. + +### Management Strategies + +* **Rate Limiting** + * [Import throttle decisions](/docs/next/cscli/cscli_decisions_import) + * Use `throttle` action type for rate limiting + * Configure graduated responses (throttle → ban) + +* **Blocking Approaches** + * Edge blocking via firewall or WAF integration + * Behavioral detection with custom scenarios + * IP reputation-based filtering + +--- + +## Legacy Application Protection + +**What this solves:** Add modern security controls to applications that cannot be modified directly. + +### Protection Strategies + +* **Transparent Proxy Protection** + * [Deploy WAF at reverse proxy level](/u/user_guides/waf_rp_howto) + * [Configure virtual patching rules](/docs/next/appsec/configuration) + * Block exploits without application changes + +* **Custom Rule Development** + * Adapt AppSec rules for legacy application patterns + * Create custom scenarios for specific vulnerabilities + * Test thoroughly to avoid breaking application functionality + +--- + +## Custom Behavior Protection + +**What this solves:** Create targeted protections for specific abuse patterns like spam, credential stuffing, or scalping attacks. + +### Custom Detection Development + +* **Scenario Customization** + * [Manage scenarios with cscli](/docs/next/cscli/cscli_scenarios_install) + * [Create custom scenarios](/docs/next/scenarios/create) + * [Test scenarios with explain mode](/docs/next/cscli/cscli_explain) + +* **AppSec Rule Development** + * [Configure custom AppSec rules](/docs/next/appsec/configuration) + * Create pattern-matching rules for specific behaviors + * Test rules in simulation mode before deployment + +--- + +## Alert Enhancement and Triage + +**What this solves:** Accelerate incident response with contextual threat intelligence and automated routing. + +### Enhancement Options + +* **Notification Enrichment** + * [Configure notification plugins](/docs/next/notification_plugins/intro) + * [Use CTI helpers in templates](/docs/next/notification_plugins/template_helpers) + * Send enriched alerts to Slack, email, or SIEM + +* **Operational Dashboards** + * [Set up monitoring dashboards](/docs/next/cscli/cscli_dashboard) + * [Track metrics with cscli](/docs/next/cscli/cscli_metrics) + * Provide SOC teams with actionable context + +--- + +## Threat Hunting and Intelligence + +**What this solves:** Enable proactive threat hunting with global intelligence correlation and local threat mirroring. + +### Hunting Capabilities + +* **Console Integration** + * [Enroll in CrowdSec Console](/docs/next/cscli/cscli_console_enroll) + * Access global CTI and CVE correlation data + * Use web interface for threat investigation + +* **Intelligence Integration** + * Correlate local events with global threat patterns + * Export threat data for integration with hunting tools + * Track emerging threats and vulnerabilities + +--- + +## Getting Started Resources + +If you're new to CrowdSec, start with these foundational guides: + +* [Install CrowdSec Security Engine](/u/getting_started/installation/linux) +* [Configure log data sources](/docs/next/data_sources/file) +* [Understand bouncers and remediation](/docs/next/cscli/cscli_bouncers) +* [Set up Local API](/docs/next/local_api/intro) +* [Complete health check guide](/u/getting_started/health_check) + +## Related Documentation + +* [Security Engine Troubleshooting](./security_engine) +* [Remediation Components Troubleshooting](./remediation_components) +* [CTI Integration Guide](./cti) \ No newline at end of file From fe88815c3b30d998345fec5bff7e5196d41948d2 Mon Sep 17 00:00:00 2001 From: jdv Date: Tue, 12 Aug 2025 16:36:23 +0200 Subject: [PATCH 02/12] toc max level 2 --- crowdsec-docs/unversioned/troubleshooting/usecases.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index b52fdcb8d..2e2898c23 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -1,4 +1,5 @@ --- +toc_max_heading_level: 2 title: Use Cases and Quick Solutions id: usecases --- From c5d2024ad4d738abf1471efb466f101aa714d81d Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 14 Aug 2025 10:55:08 +0200 Subject: [PATCH 03/12] changed first usecase to a better form --- .../unversioned/troubleshooting/usecases.mdx | 49 +++++++++---------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index 2e2898c23..ddc38c802 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -4,6 +4,8 @@ title: Use Cases and Quick Solutions id: usecases --- +import UnderlineTooltip from '@site/src/components/underline-tooltip'; + # Use Cases and Quick Solutions This page provides quick recommendations for common CrowdSec implementation scenarios. Each use case includes practical implementation paths with links to relevant documentation. @@ -14,39 +16,32 @@ New to CrowdSec? Start with our [installation guide](/u/getting_started/installa import FormattedTabs from '@site/src/components/formatted-tabs'; -## Block Known-Bad IPs at the Edge - -**What this solves:** Stop commodity scanners, botnets and repeat offenders at the network edge before they reach your services. +TODO: use on key words to help the user understand -### Firewall Integration - -* **Appliance Integration** - * [OPNsense plugin setup](/docs/next/getting_started/install_crowdsec_opnsense) - * [FreeBSD/pfSense installation](/docs/next/getting_started/install_crowdsec_freebsd) - * [Managing bouncers with cscli](/docs/next/cscli/cscli_bouncers) - -* **OS Firewall Integration** - * Configure your system firewall to consume CrowdSec decisions - * Use blocklist integrations for automated IP blocking +## Block Known-Bad IPs at the Edge -### Reverse Proxy/WAF Integration +Pull up-to-date IP lists from CrowdSec **Blocklist as a Service** endpoints into your edge protection. -* **NGINX Reverse Proxy** - * [WAF reverse proxy setup guide](/u/user_guides/waf_rp_howto) - * [AppSec configuration](/docs/next/appsec/configuration) - * [NGINX bouncer documentation](/u/bouncers/nginx) +**Is it for me?** +Ideal if you want direct integration into your firewalls. +Good option if you are not using a Security Engine and want your CDN or WAF to benefit from CrowdSec's blocklists. -* **CDN/WAF Integration** - * Configure your CDN or WAF to consume CrowdSec blocklists - * Use bouncer components for real-time blocking +**How it works:** +- Create a blocklist integration in your console account. +- Select blocklists you want to be served by this endpoints. +- Use the endpoint's URL and credentials to retrieve the merged and up-to-date list. -### Security Engine Integration -* **Blocklist Subscriptions** - * [Monitor with cscli metrics](/docs/next/cscli/cscli_metrics) - * [Manage decisions](/docs/next/cscli/cscli_decisions_list) - * [Dashboard setup](/docs/next/cscli/cscli_dashboard) - * Evaluate blocklist impact before full deployment +**References** +- [Blocklist integration Getting started guide](/u/integrations/intro) +- [Subscribing to blocklists](/u/console/blocklists/subscription/) +- [List of integrations format](/u/integrations/intro#current-integrations) +- 🏅 [API management & creating your own blocklists](/u/console/service_api/quickstart/blocklists) +- *Variation: *Integration into CDN/WAF via a **remediation component**: + - [Remediation Component BLaaS integration](/u/integrations/remediationcomponent) + - [AWF WAF remediation component](/u/bouncers/aws_waf) + - [Cloudflare Workers remediation component](/u/bouncers/cloudflare-workers) + - [Fastly remediation component](/u/bouncers/fastly) --- From 15e92026ce38765f3df70fbf7ffe49ffde28ced4 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 14 Aug 2025 11:36:37 +0200 Subject: [PATCH 04/12] format change, section 1+2 hand modified, rest is claude suggestions (to change) --- .../unversioned/troubleshooting/usecases.mdx | 227 +++++++++++------- 1 file changed, 137 insertions(+), 90 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index ddc38c802..d0c038ae3 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -45,163 +45,210 @@ Good option if you are not using a Security Engine and want your CDN or WAF to b --- -## Reduce Resource Consumption +## Reduce Noise to save Resources address alert fatigue -**What this solves:** Eliminate automated noise, 404 probes, and malicious traffic to reduce server load and log volumes. +Eliminate automated noise from unwanted probes, spam and malicious traffic to reduce server load and log volumes by up to 80%. -### Implementation Options +**Is it for me?** +Ideal if you're experiencing high server load from automated traffic or want to reduce infrastructure costs. +Good option if you need to optimize server performance and reduce log storage requirements. + +**How it works:** +- Use CrowdSec blocklists to preemptively block crowd validated noise. +- Go further by deploying CrowdSec Security Engine to detect malicious patterns in your traffic. +- Use an AppSec enabled Remediation Component to use CrowdSec WAF. +- Track quantified savings through metrics and performance monitoring. -* Use any of the edge blocking methods described above -* [Enable monitoring dashboards](/docs/next/cscli/cscli_dashboard) to measure impact -* Track metrics with [cscli metrics](/docs/next/cscli/cscli_metrics) to quantify resource savings +**References** +- [Blocklist Catalog doc](/u/console/blocklists/catalog) +- [Blocklist Catalog ↗️](https://app.crowdsec.net/blocklists/search) +- [Security Engine installation](/u/getting_started/intro) +- [CrowdSec WAF](/appsec/intro) +- [Remediation Metrics](/u/console/remediation_metrics) --- ## Multi-Tenant Protection -**What this solves:** Apply different security policies per customer, application, or environment without policy conflicts. +Apply different security policies per customer, application, or environment without policy conflicts using flexible context management. -### Implementation Approaches +**Is it for me?** +Ideal if you're managing multiple customers, applications, or environments with different security requirements. +Good option if you need granular policy control and want to avoid cross-tenant security policy interference. -* **Custom Lists per Tenant** - * [Configure centralized allowlists](/docs/next/local_api/centralized_allowlists) - * [Filter decisions by origin or scenario](/docs/next/cscli/cscli_decisions_delete) - * Use separate integration URLs for different tenant policies +**How it works:** +- Configure separate contexts for each tenant using cscli context management. +- Set up centralized allowlists with tenant-specific filtering rules. +- Create distinct integration endpoints for different tenant policies. +- Deploy separate AppSec rule sets tailored to each tenant's requirements. -* **Environment Isolation** - * [Manage contexts with cscli](/docs/next/cscli/cscli_contexts) - * [Configure collections per environment](/docs/next/cscli/cscli_collections) - * Separate AppSec rule sets by tenant requirements +**References** +- [Context management with cscli](/docs/next/cscli/cscli_contexts) +- [Centralized allowlists configuration](/docs/next/local_api/centralized_allowlists) +- [Decision filtering by origin](/docs/next/cscli/cscli_decisions_delete) +- [Collections per environment](/docs/next/cscli/cscli_collections) +- [AppSec configuration guide](/docs/next/appsec/configuration) --- ## SIEM/SOAR Integration -**What this solves:** Enrich existing security tools with CrowdSec's threat intelligence and IOC streams. - -### IOC Management +Enrich existing security tools with CrowdSec's real-time threat intelligence and IOC streams from 70,000+ global contributors. -* **Import Custom IOCs** - * [Import decisions from CSV/JSON](/docs/next/cscli/cscli_decisions_import) - * Support for ban, captcha, and throttle actions - * Tag with custom origins for tracking +**Is it for me?** +Ideal if you're using SIEM/SOAR tools and want to enhance them with fresh, crowd-sourced threat intelligence. +Good option if you need automated IOC management and want to reduce false positives in security alerts. -* **Alert Enrichment** - * [Use CTI helpers in notification templates](/docs/next/notification_plugins/template_helpers) - * Automatically enrich alerts with threat intelligence - * [Configure notification plugins](/docs/next/notification_plugins/intro) +**How it works:** +- Import custom IOCs from your existing tools using CSV/JSON format. +- Configure notification plugins to automatically enrich alerts with contextual threat data. +- Use CTI helpers in templates to add global intelligence context to security events. +- Set up bidirectional data exchange with platforms like MISP for comprehensive threat sharing. -* **MISP Integration** (Coming Soon) - * Bidirectional IOC exchange with MISP platforms - * Automated threat intelligence sharing +**References** +- [Import decisions from CSV/JSON](/docs/next/cscli/cscli_decisions_import) +- [Notification plugins configuration](/docs/next/notification_plugins/intro) +- [CTI helpers in templates](/docs/next/notification_plugins/template_helpers) +- [Console enrollment for CTI access](/docs/next/cscli/cscli_console_enroll) +- 🏅 [MISP Integration documentation](/docs/next/integrations/misp) (Coming Soon) --- ## Web Application Protection -**What this solves:** Quickly protect applications from OWASP Top-10 attacks and vulnerability probing. +Quickly protect web applications from OWASP Top-10 attacks and zero-day vulnerability probing with behavior-driven detection. -### AppSec Deployment +**Is it for me?** +Ideal if you need immediate protection for web applications against common attack patterns. +Good option if you want virtual patching capabilities and real-time threat blocking without modifying application code. -* **Reverse Proxy WAF** - * [Complete WAF setup guide](/u/user_guides/waf_rp_howto) - * [AppSec configuration guide](/docs/next/appsec/configuration) - * [Virtual patching with AppSec rules](/docs/next/appsec/configuration) +**How it works:** +- Deploy CrowdSec Security Engine with AppSec module on your reverse proxy or web server. +- Enable pre-built AppSec collections targeting OWASP Top-10 attack patterns. +- Configure bouncers for real-time blocking of detected threats. +- Implement virtual patching rules to protect against specific vulnerabilities. -* **Quick Deployment** - * Install Security Engine on your reverse proxy - * Enable AppSec collections for common attack patterns - * Configure bouncer for real-time blocking +**References** +- [Complete WAF setup guide](/u/user_guides/waf_rp_howto) +- [AppSec configuration guide](/docs/next/appsec/configuration) +- [Virtual patching with AppSec rules](/docs/next/appsec/configuration) +- [Bouncer configuration](/docs/next/cscli/cscli_bouncers) +- [Security Engine installation](/u/getting_started/installation/linux) --- ## Bot and Scraper Management -**What this solves:** Control aggressive crawlers and scraping tools while preserving legitimate user access. +Control aggressive crawlers and scraping tools while preserving legitimate user access using graduated response strategies. -### Management Strategies +**Is it for me?** +Ideal if you're dealing with aggressive bots or scrapers that impact your site performance. +Good option if you need granular control over automated traffic without blocking legitimate users or search engines. -* **Rate Limiting** - * [Import throttle decisions](/docs/next/cscli/cscli_decisions_import) - * Use `throttle` action type for rate limiting - * Configure graduated responses (throttle → ban) +**How it works:** +- Configure behavioral detection scenarios to identify suspicious crawling patterns. +- Implement graduated responses starting with throttling, escalating to temporary bans. +- Use specialized AI Crawlers Blocklist to block known malicious crawling IPs. +- Deploy edge blocking through firewall or CDN integration for immediate protection. -* **Blocking Approaches** - * Edge blocking via firewall or WAF integration - * Behavioral detection with custom scenarios - * IP reputation-based filtering +**References** +- [Import throttle decisions](/docs/next/cscli/cscli_decisions_import) +- [Custom scenario creation](/docs/next/scenarios/create) +- [AI Crawlers Blocklist subscription](/u/console/blocklists/subscription/) +- [Edge integration options](/u/integrations/intro) +- [Behavioral detection configuration](/docs/next/scenarios/introduction) --- ## Legacy Application Protection -**What this solves:** Add modern security controls to applications that cannot be modified directly. +Add modern security controls to legacy applications that cannot be modified directly using transparent proxy protection. -### Protection Strategies +**Is it for me?** +Ideal if you're running legacy applications that lack built-in security features. +Good option if you need immediate protection without the risk of modifying critical legacy code. -* **Transparent Proxy Protection** - * [Deploy WAF at reverse proxy level](/u/user_guides/waf_rp_howto) - * [Configure virtual patching rules](/docs/next/appsec/configuration) - * Block exploits without application changes +**How it works:** +- Deploy CrowdSec WAF at the reverse proxy level in front of your legacy application. +- Configure virtual patching rules to block known exploits targeting your application stack. +- Create custom AppSec rules adapted to your legacy application's specific patterns. +- Test protection rules in simulation mode before enabling blocking to ensure application functionality. -* **Custom Rule Development** - * Adapt AppSec rules for legacy application patterns - * Create custom scenarios for specific vulnerabilities - * Test thoroughly to avoid breaking application functionality +**References** +- [Complete WAF setup guide](/u/user_guides/waf_rp_howto) +- [AppSec configuration guide](/docs/next/appsec/configuration) +- [Virtual patching rules](/docs/next/appsec/configuration) +- [Custom scenario creation](/docs/next/scenarios/create) +- [Testing with explain mode](/docs/next/cscli/cscli_explain) --- ## Custom Behavior Protection -**What this solves:** Create targeted protections for specific abuse patterns like spam, credential stuffing, or scalping attacks. +Create targeted protections for specific abuse patterns like spam, credential stuffing, or scalping attacks using custom detection rules. -### Custom Detection Development +**Is it for me?** +Ideal if you're facing unique attack patterns not covered by standard security solutions. +Good option if you need highly specific protection tailored to your application's business logic and user patterns. -* **Scenario Customization** - * [Manage scenarios with cscli](/docs/next/cscli/cscli_scenarios_install) - * [Create custom scenarios](/docs/next/scenarios/create) - * [Test scenarios with explain mode](/docs/next/cscli/cscli_explain) +**How it works:** +- Analyze your specific abuse patterns to understand attacker behavior. +- Create custom scenarios using CrowdSec's scenario framework for behavioral detection. +- Develop AppSec rules for pattern-matching specific malicious requests. +- Test custom rules thoroughly using explain mode and simulation before production deployment. -* **AppSec Rule Development** - * [Configure custom AppSec rules](/docs/next/appsec/configuration) - * Create pattern-matching rules for specific behaviors - * Test rules in simulation mode before deployment +**References** +- [Custom scenario creation](/docs/next/scenarios/create) +- [Scenario management with cscli](/docs/next/cscli/cscli_scenarios_install) +- [Testing scenarios with explain mode](/docs/next/cscli/cscli_explain) +- [Custom AppSec rules configuration](/docs/next/appsec/configuration) +- [Scenario testing and validation](/docs/next/scenarios/intro) --- ## Alert Enhancement and Triage -**What this solves:** Accelerate incident response with contextual threat intelligence and automated routing. +Accelerate incident response with contextual threat intelligence and automated routing to reduce alert volume by up to 80%. -### Enhancement Options +**Is it for me?** +Ideal if your SOC team is overwhelmed with security alerts and needs better context for prioritization. +Good option if you want to automate alert enrichment and reduce time-to-response for security incidents. -* **Notification Enrichment** - * [Configure notification plugins](/docs/next/notification_plugins/intro) - * [Use CTI helpers in templates](/docs/next/notification_plugins/template_helpers) - * Send enriched alerts to Slack, email, or SIEM +**How it works:** +- Configure notification plugins to automatically enrich alerts with global threat intelligence context. +- Set up CTI helpers in templates to add reputation data, attack patterns, and geographic context. +- Deploy operational dashboards for SOC teams to visualize threats and track security metrics. +- Integrate with existing SIEM/SOAR tools to enhance existing alert workflows. -* **Operational Dashboards** - * [Set up monitoring dashboards](/docs/next/cscli/cscli_dashboard) - * [Track metrics with cscli](/docs/next/cscli/cscli_metrics) - * Provide SOC teams with actionable context +**References** +- [Notification plugins configuration](/docs/next/notification_plugins/intro) +- [CTI helpers in templates](/docs/next/notification_plugins/template_helpers) +- [Monitoring dashboards setup](/docs/next/cscli/cscli_dashboard) +- [Metrics tracking with cscli](/docs/next/cscli/cscli_metrics) +- [Console enrollment for CTI access](/docs/next/cscli/cscli_console_enroll) --- ## Threat Hunting and Intelligence -**What this solves:** Enable proactive threat hunting with global intelligence correlation and local threat mirroring. +Enable proactive threat hunting with access to global intelligence from 190+ countries, often 7-60 days ahead of other vendors. -### Hunting Capabilities +**Is it for me?** +Ideal if you have a threat hunting team that needs fresh, contextual intelligence for proactive security investigations. +Good option if you want to correlate local events with global attack patterns and emerging threats. -* **Console Integration** - * [Enroll in CrowdSec Console](/docs/next/cscli/cscli_console_enroll) - * Access global CTI and CVE correlation data - * Use web interface for threat investigation +**How it works:** +- Enroll your Security Engine in CrowdSec Console to access global CTI and CVE correlation data. +- Use the web interface to investigate threat patterns and analyze attack trends. +- Correlate your local security events with global crowd-sourced intelligence. +- Export enriched threat data for integration with your existing threat hunting tools and workflows. -* **Intelligence Integration** - * Correlate local events with global threat patterns - * Export threat data for integration with hunting tools - * Track emerging threats and vulnerabilities +**References** +- [Console enrollment guide](/docs/next/cscli/cscli_console_enroll) +- [CTI integration documentation](/u/console/blocklists/subscription/) +- [Global threat intelligence access](/u/integrations/intro) +- [VulnTracking Reports](https://www.crowdsec.net/blog) (Monthly CVE analysis) +- [Threat investigation workflows](/docs/next/cscli/cscli_decisions) --- From 735c98033c2b4f8532766a635bb662b8073df4a4 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 14 Aug 2025 14:29:05 +0200 Subject: [PATCH 05/12] trying to fix build --- .../unversioned/troubleshooting/usecases.mdx | 24 +++++++------------ 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index d0c038ae3..bc6671540 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -4,8 +4,6 @@ title: Use Cases and Quick Solutions id: usecases --- -import UnderlineTooltip from '@site/src/components/underline-tooltip'; - # Use Cases and Quick Solutions This page provides quick recommendations for common CrowdSec implementation scenarios. Each use case includes practical implementation paths with links to relevant documentation. @@ -14,10 +12,6 @@ This page provides quick recommendations for common CrowdSec implementation scen New to CrowdSec? Start with our [installation guide](/u/getting_started/installation/linux) and [health check guide](/u/getting_started/health_check). ::: -import FormattedTabs from '@site/src/components/formatted-tabs'; - -TODO: use on key words to help the user understand - ## Block Known-Bad IPs at the Edge Pull up-to-date IP lists from CrowdSec **Blocklist as a Service** endpoints into your edge protection. @@ -70,24 +64,22 @@ Good option if you need to optimize server performance and reduce log storage re ## Multi-Tenant Protection -Apply different security policies per customer, application, or environment without policy conflicts using flexible context management. +Apply different security policies per customer, application, tier, [...] retrieving contextualized IP Lists. **Is it for me?** Ideal if you're managing multiple customers, applications, or environments with different security requirements. Good option if you need granular policy control and want to avoid cross-tenant security policy interference. **How it works:** -- Configure separate contexts for each tenant using cscli context management. -- Set up centralized allowlists with tenant-specific filtering rules. -- Create distinct integration endpoints for different tenant policies. -- Deploy separate AppSec rule sets tailored to each tenant's requirements. +- Configure separate blocklist integrations for each context. +- Assign context-specific blocklist AND allowlists. +- Go further by creating custom lists based on detections made on your infrastructure. **References** -- [Context management with cscli](/docs/next/cscli/cscli_contexts) -- [Centralized allowlists configuration](/docs/next/local_api/centralized_allowlists) -- [Decision filtering by origin](/docs/next/cscli/cscli_decisions_delete) -- [Collections per environment](/docs/next/cscli/cscli_collections) -- [AppSec configuration guide](/docs/next/appsec/configuration) +- [Blocklist integration Getting started guide](/u/integrations/intro) +- [Blocklist Catalog doc](/u/console/blocklists/catalog) +- [Blocklist Catalog ↗️](https://app.crowdsec.net/blocklists/search) +- [Custom blocklists from the decisions of your Security engine ↗️](https://github.com/crowdsecurity/custom-bouncer-to-blocklist) --- From 755b1dbbd5d70396c60aa6da682c949be112c4e9 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 14 Aug 2025 15:06:04 +0200 Subject: [PATCH 06/12] manual changes to WAF section --- .../unversioned/troubleshooting/usecases.mdx | 47 +++++++++---------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index bc6671540..da6c5c11c 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -83,49 +83,48 @@ Good option if you need granular policy control and want to avoid cross-tenant s --- -## SIEM/SOAR Integration +## Looking for complementary IOC streams -Enrich existing security tools with CrowdSec's real-time threat intelligence and IOC streams from 70,000+ global contributors. +Add qualified IOCs from CrowdSec's real-time IP reputation. **Is it for me?** -Ideal if you're using SIEM/SOAR tools and want to enhance them with fresh, crowd-sourced threat intelligence. -Good option if you need automated IOC management and want to reduce false positives in security alerts. +Ideal if you want to complement your IOC insights with exclusive CrowdSec IP reputation data. +Quickly choose among qualified malicious actors regrouped by industry, behaviors... **How it works:** -- Import custom IOCs from your existing tools using CSV/JSON format. -- Configure notification plugins to automatically enrich alerts with contextual threat data. -- Use CTI helpers in templates to add global intelligence context to security events. -- Set up bidirectional data exchange with platforms like MISP for comprehensive threat sharing. +- Stream CrowdSec IP Lists into your security tools. +- Integrate directly in your security tools thanks to our integrations or easy to use CTI API. +- 🏅 Get custom IOC streams made for your needs.([contact us ↗️](https://www.crowdsec.net/business-requests?interest=CTI%20subscription)) +- Next step: Enrich IPs via CrowdSec CTI API. + **References** -- [Import decisions from CSV/JSON](/docs/next/cscli/cscli_decisions_import) -- [Notification plugins configuration](/docs/next/notification_plugins/intro) -- [CTI helpers in templates](/docs/next/notification_plugins/template_helpers) -- [Console enrollment for CTI access](/docs/next/cscli/cscli_console_enroll) -- 🏅 [MISP Integration documentation](/docs/next/integrations/misp) (Coming Soon) +- [IP reputation lists / Blocklists Catalog doc ↗️](https://app.crowdsec.net/blocklists/search) +- [Retrieving merged lists via HTTPS endpoints](/u/integrations/intro) +- [Retrieving Blocklists via API](/u/console/service_api/quickstart/blocklists#download-blocklist-content) +- [MISP Feed from Security Engine's alerts](https://doc.crowdsec.net/u/bouncers/misp-feed-generator) +- [Upcoming CrowdSec MISP Feeds ↗️](https://roadmap.crowdsec.net/c/48-misp-feed) --- ## Web Application Protection -Quickly protect web applications from OWASP Top-10 attacks and zero-day vulnerability probing with behavior-driven detection. +Quickly protect web applications from the latest CVEs and generic vulnerability exploits using CrowdSec WAF. **Is it for me?** -Ideal if you need immediate protection for web applications against common attack patterns. -Good option if you want virtual patching capabilities and real-time threat blocking without modifying application code. +Ideal if you want a modern OpenSource WAF solution. +Benefit from CrowdSec's Virtual patching catalog while being able to use your existing ModSecurity rules as is. **How it works:** - Deploy CrowdSec Security Engine with AppSec module on your reverse proxy or web server. -- Enable pre-built AppSec collections targeting OWASP Top-10 attack patterns. -- Configure bouncers for real-time blocking of detected threats. -- Implement virtual patching rules to protect against specific vulnerabilities. +- Get CrowdSec Virtual patching collection. +- Easily scale and identify behaviors accross multiple servers over time. +- Go further by using your existing appsec rules. +- Even test CRS rules out of band on your production traffic to easily adapt them to you needs. + **References** -- [Complete WAF setup guide](/u/user_guides/waf_rp_howto) -- [AppSec configuration guide](/docs/next/appsec/configuration) -- [Virtual patching with AppSec rules](/docs/next/appsec/configuration) -- [Bouncer configuration](/docs/next/cscli/cscli_bouncers) -- [Security Engine installation](/u/getting_started/installation/linux) +- ... --- From f4740e9972738316085919918155ee6b99e40574 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 14 Aug 2025 15:35:34 +0200 Subject: [PATCH 07/12] Bot and scrapper section done --- .../unversioned/troubleshooting/usecases.mdx | 49 ++++++++++--------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index da6c5c11c..ec8ed842c 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -107,47 +107,48 @@ Quickly choose among qualified malicious actors regrouped by industry, behaviors --- -## Web Application Protection +## Bot and Scraper Management -Quickly protect web applications from the latest CVEs and generic vulnerability exploits using CrowdSec WAF. +Control aggressive crawlers and scraping tools while preserving legitimate user access using graduated response strategies. **Is it for me?** -Ideal if you want a modern OpenSource WAF solution. -Benefit from CrowdSec's Virtual patching catalog while being able to use your existing ModSecurity rules as is. +Ideal if you're dealing with aggressive bots or scrapers that impact your site performance. +Good option if you want to prevent illegitimate AI crawlers from visiting your site. **How it works:** -- Deploy CrowdSec Security Engine with AppSec module on your reverse proxy or web server. -- Get CrowdSec Virtual patching collection. -- Easily scale and identify behaviors accross multiple servers over time. -- Go further by using your existing appsec rules. -- Even test CRS rules out of band on your production traffic to easily adapt them to you needs. - +- Retrieve AI Crawlers and/or Botnets IPs from CrowdSec Blocklist integrations +- Block at the edge using your firewall or CDN. **References** -- ... +- [Blocking at the edge section](#blocking-at-the-edge) +- [Custom scenario creation](/docs/next/scenarios/create) +- [AI Crawlers Blocklist ↗️](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) +- [Currated Botnet Actors ↗️](https://app.crowdsec.net/blocklists/65a56c160469607d9badb813) +- [Public Internet Scanners ↗️](https://app.crowdsec.net/blocklists/65f972eb807e06de7a0e3e65) --- -## Bot and Scraper Management +## Block Common web attacks fast -Control aggressive crawlers and scraping tools while preserving legitimate user access using graduated response strategies. +Quickly protect web applications from the latest CVEs and generic vulnerability exploits using CrowdSec WAF. **Is it for me?** -Ideal if you're dealing with aggressive bots or scrapers that impact your site performance. -Good option if you need granular control over automated traffic without blocking legitimate users or search engines. +Ideal if you want a modern OpenSource WAF solution. +Benefit from CrowdSec's Virtual patching catalog while being able to use your existing ModSecurity rules as is. **How it works:** -- Configure behavioral detection scenarios to identify suspicious crawling patterns. -- Implement graduated responses starting with throttling, escalating to temporary bans. -- Use specialized AI Crawlers Blocklist to block known malicious crawling IPs. -- Deploy edge blocking through firewall or CDN integration for immediate protection. +- Deploy CrowdSec Security Engine with AppSec module on your reverse proxy or web server. +- Get CrowdSec Virtual patching collection. +- Easily scale and identify behaviors accross multiple servers over time. +- Go further by using your existing appsec rules. +- Even test CRS rules out of band on your production traffic to easily adapt them to you needs. + **References** -- [Import throttle decisions](/docs/next/cscli/cscli_decisions_import) -- [Custom scenario creation](/docs/next/scenarios/create) -- [AI Crawlers Blocklist subscription](/u/console/blocklists/subscription/) -- [Edge integration options](/u/integrations/intro) -- [Behavioral detection configuration](/docs/next/scenarios/introduction) +- [Security Engine installation](/u/getting_started/intro) +- [CrowdSec WAF presentation](/appsec/intro) +- [Virtual Patching collection ↗️](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching) +- [CrowdSec WAF article ↗️](https://www.crowdsec.net/blog/crowdsec-waf-the-collaborative-future-of-web-application-security) --- From baa841d9204412d23d03dd2a35620806db90c9f3 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 14 Aug 2025 15:55:35 +0200 Subject: [PATCH 08/12] custom behavior section done --- .../unversioned/troubleshooting/usecases.mdx | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index ec8ed842c..c654e3d37 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -120,7 +120,7 @@ Good option if you want to prevent illegitimate AI crawlers from visiting your s - Block at the edge using your firewall or CDN. **References** -- [Blocking at the edge section](#blocking-at-the-edge) +- [**Blocking at the edge section**](#blocking-at-the-edge) - [Custom scenario creation](/docs/next/scenarios/create) - [AI Crawlers Blocklist ↗️](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) - [Currated Botnet Actors ↗️](https://app.crowdsec.net/blocklists/65a56c160469607d9badb813) @@ -163,21 +163,19 @@ Good option if you need immediate protection without the risk of modifying criti **How it works:** - Deploy CrowdSec WAF at the reverse proxy level in front of your legacy application. - Configure virtual patching rules to block known exploits targeting your application stack. -- Create custom AppSec rules adapted to your legacy application's specific patterns. -- Test protection rules in simulation mode before enabling blocking to ensure application functionality. +- Additionally create custom AppSec rules adapted to your legacy application's specific patterns. +- Test protection rules out of band (simulation mode) before enabling blocking to ensure application functionality. **References** -- [Complete WAF setup guide](/u/user_guides/waf_rp_howto) -- [AppSec configuration guide](/docs/next/appsec/configuration) -- [Virtual patching rules](/docs/next/appsec/configuration) -- [Custom scenario creation](/docs/next/scenarios/create) -- [Testing with explain mode](/docs/next/cscli/cscli_explain) +- [**Block Common web attacks fast**](#block-common-web-attacks-fast) +- [Block right before your app code with PHP prepend](/u/bouncers/php) +- [Add blocking capabilities in your php app](/u/bouncers/php-lib) --- ## Custom Behavior Protection -Create targeted protections for specific abuse patterns like spam, credential stuffing, or scalping attacks using custom detection rules. +Create targeted protections for specific abuse patterns like **spam**, **credential stuffing**, or **scalping attacks**, [...] using custom detection rules or scenarios. **Is it for me?** Ideal if you're facing unique attack patterns not covered by standard security solutions. @@ -186,15 +184,15 @@ Good option if you need highly specific protection tailored to your application' **How it works:** - Analyze your specific abuse patterns to understand attacker behavior. - Create custom scenarios using CrowdSec's scenario framework for behavioral detection. -- Develop AppSec rules for pattern-matching specific malicious requests. +- Eventually develop AppSec rules for pattern-matching specific malicious requests. - Test custom rules thoroughly using explain mode and simulation before production deployment. **References** -- [Custom scenario creation](/docs/next/scenarios/create) -- [Scenario management with cscli](/docs/next/cscli/cscli_scenarios_install) -- [Testing scenarios with explain mode](/docs/next/cscli/cscli_explain) -- [Custom AppSec rules configuration](/docs/next/appsec/configuration) -- [Scenario testing and validation](/docs/next/scenarios/intro) +- [**Block Common web attacks fast**](#block-common-web-attacks-fast) +- [Custom scenario creation](/log_processor/scenarios/create) +- [Get help from the community ↗️](https://discord.gg/wGN7ShmEE8) +- [Example of custom detection: Impossible traveler ↗️](https://www.crowdsec.net/blog/detect-suspicious-ip-behavior-impossible-travel) +- [Success story: ScaleCommerce vs scalpers ↗️](https://www.crowdsec.net/blog/scalecommerce-plummets-ops-costs-and-skyrockets-efficiency) --- From f11f334ee9de6aeb785e874290ce799c9ee7c5f3 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 14 Aug 2025 18:04:44 +0200 Subject: [PATCH 09/12] ready for reaview --- .../unversioned/troubleshooting/usecases.mdx | 57 +++++++------------ 1 file changed, 22 insertions(+), 35 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index c654e3d37..be343e16c 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -94,7 +94,7 @@ Quickly choose among qualified malicious actors regrouped by industry, behaviors **How it works:** - Stream CrowdSec IP Lists into your security tools. - Integrate directly in your security tools thanks to our integrations or easy to use CTI API. -- 🏅 Get custom IOC streams made for your needs.([contact us ↗️](https://www.crowdsec.net/business-requests?interest=CTI%20subscription)) +- 🏅 Get custom IOC streams made for your needs. - Next step: Enrich IPs via CrowdSec CTI API. @@ -104,6 +104,7 @@ Quickly choose among qualified malicious actors regrouped by industry, behaviors - [Retrieving Blocklists via API](/u/console/service_api/quickstart/blocklists#download-blocklist-content) - [MISP Feed from Security Engine's alerts](https://doc.crowdsec.net/u/bouncers/misp-feed-generator) - [Upcoming CrowdSec MISP Feeds ↗️](https://roadmap.crowdsec.net/c/48-misp-feed) +- [Contact Us for custom requests ↗️](https://www.crowdsec.net/business-requests?interest=CTI%20subscription)) --- @@ -202,20 +203,20 @@ Accelerate incident response with contextual threat intelligence and automated r **Is it for me?** Ideal if your SOC team is overwhelmed with security alerts and needs better context for prioritization. -Good option if you want to automate alert enrichment and reduce time-to-response for security incidents. +Add exclusive context to your alerts and automate incident response with up to 30+ IP reputation enrichment dimensions. **How it works:** -- Configure notification plugins to automatically enrich alerts with global threat intelligence context. -- Set up CTI helpers in templates to add reputation data, attack patterns, and geographic context. -- Deploy operational dashboards for SOC teams to visualize threats and track security metrics. -- Integrate with existing SIEM/SOAR tools to enhance existing alert workflows. +- Consult CrowdSec CTI: per IP queries, advanced search on behavior, classifications or performed CVEs- Configure notification plugins to automatically enrich alerts with global threat intelligence context. +- Obtain your CTI API key from your CrowdSec Console account or a contact with CrowdSec team for higher quotas. +- Integrate it in your tools with out existing integrations or via simple calls to the API. +- 🏅 Advanced usages: API search, Offline replication, ... **References** -- [Notification plugins configuration](/docs/next/notification_plugins/intro) -- [CTI helpers in templates](/docs/next/notification_plugins/template_helpers) -- [Monitoring dashboards setup](/docs/next/cscli/cscli_dashboard) -- [Metrics tracking with cscli](/docs/next/cscli/cscli_metrics) -- [Console enrollment for CTI access](/docs/next/cscli/cscli_console_enroll) +- [Explore CrowdSec CTI within the console](/u/cti_api/getting_started) +- [Create a test API key](/u/cti_api/api_getting_started) +- [IP reputation enrichment glossary](/u/cti_api/taxonomy/cti_object) +- [Evaluate your IPs using our **IPDEX** tool](/u/cti_api/api_integration/integration_ipdex/) +- [Contact Us for 🏅 advanced usage ↗️](https://www.crowdsec.net/business-requests?interest=CTI%20subscription) --- @@ -228,32 +229,18 @@ Ideal if you have a threat hunting team that needs fresh, contextual intelligenc Good option if you want to correlate local events with global attack patterns and emerging threats. **How it works:** -- Enroll your Security Engine in CrowdSec Console to access global CTI and CVE correlation data. -- Use the web interface to investigate threat patterns and analyze attack trends. -- Correlate your local security events with global crowd-sourced intelligence. -- Export enriched threat data for integration with your existing threat hunting tools and workflows. +- Explore our CTI and CVE explorer +- Leverage advanced search capabilities to identify relevant threats and vulnerabilities. +- Go further using our CTI API to integrate threat intelligence into your existing workflows. **References** -- [Console enrollment guide](/docs/next/cscli/cscli_console_enroll) -- [CTI integration documentation](/u/console/blocklists/subscription/) -- [Global threat intelligence access](/u/integrations/intro) -- [VulnTracking Reports](https://www.crowdsec.net/blog) (Monthly CVE analysis) -- [Threat investigation workflows](/docs/next/cscli/cscli_decisions) +- [CTI related refs from **Alert Enhancement and Triage**](#alert-enhancement-and-triage) +- [CVE explorer](/u/cti_api/cve_explorer/) +- [IPDEX presentation article ↗️](https://www.crowdsec.net/blog/introducing-crowdsec-ipdex) +- [Follow our weekly vuln report on LinkedIn ↗️](https://www.linkedin.com/company/crowdsec/posts/?feedView=all) --- -## Getting Started Resources - -If you're new to CrowdSec, start with these foundational guides: - -* [Install CrowdSec Security Engine](/u/getting_started/installation/linux) -* [Configure log data sources](/docs/next/data_sources/file) -* [Understand bouncers and remediation](/docs/next/cscli/cscli_bouncers) -* [Set up Local API](/docs/next/local_api/intro) -* [Complete health check guide](/u/getting_started/health_check) - -## Related Documentation - -* [Security Engine Troubleshooting](./security_engine) -* [Remediation Components Troubleshooting](./remediation_components) -* [CTI Integration Guide](./cti) \ No newline at end of file +## Useful Links +- [CrowdSec Public Roadmap ↗️](https://roadmap.crowdsec.net/tabs/3-planned) +- [CrowdSec GitHub Repository ↗️](https://github.com/crowdsecurity/) From a7484a1ec62032db446eb9577af91507571ac869 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 14 Aug 2025 18:11:30 +0200 Subject: [PATCH 10/12] nano fix + add to uSidebar --- crowdsec-docs/sidebarsUnversioned.ts | 5 +++++ crowdsec-docs/unversioned/troubleshooting/usecases.mdx | 10 +++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/crowdsec-docs/sidebarsUnversioned.ts b/crowdsec-docs/sidebarsUnversioned.ts index b032bb9f4..4c7906bdb 100644 --- a/crowdsec-docs/sidebarsUnversioned.ts +++ b/crowdsec-docs/sidebarsUnversioned.ts @@ -591,6 +591,11 @@ const sidebarsUnversionedConfig: SidebarConfig = { id: "troubleshooting/intro", label: "Introduction", }, + { + type: "doc", + id: "troubleshooting/usecases", + label: "Use Cases", + }, { type: "doc", id: "troubleshooting/security_engine", diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index be343e16c..24b7998d1 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -31,7 +31,7 @@ Good option if you are not using a Security Engine and want your CDN or WAF to b - [Subscribing to blocklists](/u/console/blocklists/subscription/) - [List of integrations format](/u/integrations/intro#current-integrations) - 🏅 [API management & creating your own blocklists](/u/console/service_api/quickstart/blocklists) -- *Variation: *Integration into CDN/WAF via a **remediation component**: +- *Variation:* Integration into CDN/WAF via a **remediation component**: - [Remediation Component BLaaS integration](/u/integrations/remediationcomponent) - [AWF WAF remediation component](/u/bouncers/aws_waf) - [Cloudflare Workers remediation component](/u/bouncers/cloudflare-workers) @@ -121,7 +121,7 @@ Good option if you want to prevent illegitimate AI crawlers from visiting your s - Block at the edge using your firewall or CDN. **References** -- [**Blocking at the edge section**](#blocking-at-the-edge) +- [⬆️ **Blocking at the edge section**](#blocking-at-the-edge) - [Custom scenario creation](/docs/next/scenarios/create) - [AI Crawlers Blocklist ↗️](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) - [Currated Botnet Actors ↗️](https://app.crowdsec.net/blocklists/65a56c160469607d9badb813) @@ -168,7 +168,7 @@ Good option if you need immediate protection without the risk of modifying criti - Test protection rules out of band (simulation mode) before enabling blocking to ensure application functionality. **References** -- [**Block Common web attacks fast**](#block-common-web-attacks-fast) +- [⬆️ **Block Common web attacks fast**](#block-common-web-attacks-fast) - [Block right before your app code with PHP prepend](/u/bouncers/php) - [Add blocking capabilities in your php app](/u/bouncers/php-lib) @@ -189,7 +189,7 @@ Good option if you need highly specific protection tailored to your application' - Test custom rules thoroughly using explain mode and simulation before production deployment. **References** -- [**Block Common web attacks fast**](#block-common-web-attacks-fast) +- [⬆️ **Block Common web attacks fast**](#block-common-web-attacks-fast) - [Custom scenario creation](/log_processor/scenarios/create) - [Get help from the community ↗️](https://discord.gg/wGN7ShmEE8) - [Example of custom detection: Impossible traveler ↗️](https://www.crowdsec.net/blog/detect-suspicious-ip-behavior-impossible-travel) @@ -234,7 +234,7 @@ Good option if you want to correlate local events with global attack patterns an - Go further using our CTI API to integrate threat intelligence into your existing workflows. **References** -- [CTI related refs from **Alert Enhancement and Triage**](#alert-enhancement-and-triage) +- [⬆️ CTI related refs from **Alert Enhancement and Triage**](#alert-enhancement-and-triage) - [CVE explorer](/u/cti_api/cve_explorer/) - [IPDEX presentation article ↗️](https://www.crowdsec.net/blog/introducing-crowdsec-ipdex) - [Follow our weekly vuln report on LinkedIn ↗️](https://www.linkedin.com/company/crowdsec/posts/?feedView=all) From 1d40a51d4765b7b29e8dc267728f1adb69d24180 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 21 Aug 2025 09:55:08 +0200 Subject: [PATCH 11/12] review changes --- .../unversioned/troubleshooting/usecases.mdx | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index 24b7998d1..505ac9e68 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -16,7 +16,7 @@ New to CrowdSec? Start with our [installation guide](/u/getting_started/installa Pull up-to-date IP lists from CrowdSec **Blocklist as a Service** endpoints into your edge protection. -**Is it for me?** +**Is it for me?** Ideal if you want direct integration into your firewalls. Good option if you are not using a Security Engine and want your CDN or WAF to benefit from CrowdSec's blocklists. @@ -43,7 +43,7 @@ Good option if you are not using a Security Engine and want your CDN or WAF to b Eliminate automated noise from unwanted probes, spam and malicious traffic to reduce server load and log volumes by up to 80%. -**Is it for me?** +**Is it for me?** Ideal if you're experiencing high server load from automated traffic or want to reduce infrastructure costs. Good option if you need to optimize server performance and reduce log storage requirements. @@ -66,7 +66,7 @@ Good option if you need to optimize server performance and reduce log storage re Apply different security policies per customer, application, tier, [...] retrieving contextualized IP Lists. -**Is it for me?** +**Is it for me?** Ideal if you're managing multiple customers, applications, or environments with different security requirements. Good option if you need granular policy control and want to avoid cross-tenant security policy interference. @@ -87,7 +87,7 @@ Good option if you need granular policy control and want to avoid cross-tenant s Add qualified IOCs from CrowdSec's real-time IP reputation. -**Is it for me?** +**Is it for me?** Ideal if you want to complement your IOC insights with exclusive CrowdSec IP reputation data. Quickly choose among qualified malicious actors regrouped by industry, behaviors... @@ -112,7 +112,7 @@ Quickly choose among qualified malicious actors regrouped by industry, behaviors Control aggressive crawlers and scraping tools while preserving legitimate user access using graduated response strategies. -**Is it for me?** +**Is it for me?** Ideal if you're dealing with aggressive bots or scrapers that impact your site performance. Good option if you want to prevent illegitimate AI crawlers from visiting your site. @@ -133,7 +133,7 @@ Good option if you want to prevent illegitimate AI crawlers from visiting your s Quickly protect web applications from the latest CVEs and generic vulnerability exploits using CrowdSec WAF. -**Is it for me?** +**Is it for me?** Ideal if you want a modern OpenSource WAF solution. Benefit from CrowdSec's Virtual patching catalog while being able to use your existing ModSecurity rules as is. @@ -157,7 +157,7 @@ Benefit from CrowdSec's Virtual patching catalog while being able to use your ex Add modern security controls to legacy applications that cannot be modified directly using transparent proxy protection. -**Is it for me?** +**Is it for me?** Ideal if you're running legacy applications that lack built-in security features. Good option if you need immediate protection without the risk of modifying critical legacy code. @@ -178,7 +178,7 @@ Good option if you need immediate protection without the risk of modifying criti Create targeted protections for specific abuse patterns like **spam**, **credential stuffing**, or **scalping attacks**, [...] using custom detection rules or scenarios. -**Is it for me?** +**Is it for me?** Ideal if you're facing unique attack patterns not covered by standard security solutions. Good option if you need highly specific protection tailored to your application's business logic and user patterns. @@ -201,7 +201,7 @@ Good option if you need highly specific protection tailored to your application' Accelerate incident response with contextual threat intelligence and automated routing to reduce alert volume by up to 80%. -**Is it for me?** +**Is it for me?** Ideal if your SOC team is overwhelmed with security alerts and needs better context for prioritization. Add exclusive context to your alerts and automate incident response with up to 30+ IP reputation enrichment dimensions. @@ -224,7 +224,7 @@ Add exclusive context to your alerts and automate incident response with up to 3 Enable proactive threat hunting with access to global intelligence from 190+ countries, often 7-60 days ahead of other vendors. -**Is it for me?** +**Is it for me?** Ideal if you have a threat hunting team that needs fresh, contextual intelligence for proactive security investigations. Good option if you want to correlate local events with global attack patterns and emerging threats. @@ -243,4 +243,4 @@ Good option if you want to correlate local events with global attack patterns an ## Useful Links - [CrowdSec Public Roadmap ↗️](https://roadmap.crowdsec.net/tabs/3-planned) -- [CrowdSec GitHub Repository ↗️](https://github.com/crowdsecurity/) +- [CrowdSecurity GitHub Repositories ↗️](https://github.com/crowdsecurity/) From 6568e2ee0f0283e3a1f07eacfe92923ed715d524 Mon Sep 17 00:00:00 2001 From: jdv Date: Thu, 21 Aug 2025 10:33:21 +0200 Subject: [PATCH 12/12] return carriage fix --- crowdsec-docs/unversioned/troubleshooting/usecases.mdx | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx index 505ac9e68..cb8e25866 100644 --- a/crowdsec-docs/unversioned/troubleshooting/usecases.mdx +++ b/crowdsec-docs/unversioned/troubleshooting/usecases.mdx @@ -17,6 +17,7 @@ New to CrowdSec? Start with our [installation guide](/u/getting_started/installa Pull up-to-date IP lists from CrowdSec **Blocklist as a Service** endpoints into your edge protection. **Is it for me?** + Ideal if you want direct integration into your firewalls. Good option if you are not using a Security Engine and want your CDN or WAF to benefit from CrowdSec's blocklists. @@ -44,6 +45,7 @@ Good option if you are not using a Security Engine and want your CDN or WAF to b Eliminate automated noise from unwanted probes, spam and malicious traffic to reduce server load and log volumes by up to 80%. **Is it for me?** + Ideal if you're experiencing high server load from automated traffic or want to reduce infrastructure costs. Good option if you need to optimize server performance and reduce log storage requirements. @@ -67,6 +69,7 @@ Good option if you need to optimize server performance and reduce log storage re Apply different security policies per customer, application, tier, [...] retrieving contextualized IP Lists. **Is it for me?** + Ideal if you're managing multiple customers, applications, or environments with different security requirements. Good option if you need granular policy control and want to avoid cross-tenant security policy interference. @@ -88,6 +91,7 @@ Good option if you need granular policy control and want to avoid cross-tenant s Add qualified IOCs from CrowdSec's real-time IP reputation. **Is it for me?** + Ideal if you want to complement your IOC insights with exclusive CrowdSec IP reputation data. Quickly choose among qualified malicious actors regrouped by industry, behaviors... @@ -113,6 +117,7 @@ Quickly choose among qualified malicious actors regrouped by industry, behaviors Control aggressive crawlers and scraping tools while preserving legitimate user access using graduated response strategies. **Is it for me?** + Ideal if you're dealing with aggressive bots or scrapers that impact your site performance. Good option if you want to prevent illegitimate AI crawlers from visiting your site. @@ -134,6 +139,7 @@ Good option if you want to prevent illegitimate AI crawlers from visiting your s Quickly protect web applications from the latest CVEs and generic vulnerability exploits using CrowdSec WAF. **Is it for me?** + Ideal if you want a modern OpenSource WAF solution. Benefit from CrowdSec's Virtual patching catalog while being able to use your existing ModSecurity rules as is. @@ -158,6 +164,7 @@ Benefit from CrowdSec's Virtual patching catalog while being able to use your ex Add modern security controls to legacy applications that cannot be modified directly using transparent proxy protection. **Is it for me?** + Ideal if you're running legacy applications that lack built-in security features. Good option if you need immediate protection without the risk of modifying critical legacy code. @@ -179,6 +186,7 @@ Good option if you need immediate protection without the risk of modifying criti Create targeted protections for specific abuse patterns like **spam**, **credential stuffing**, or **scalping attacks**, [...] using custom detection rules or scenarios. **Is it for me?** + Ideal if you're facing unique attack patterns not covered by standard security solutions. Good option if you need highly specific protection tailored to your application's business logic and user patterns. @@ -202,6 +210,7 @@ Good option if you need highly specific protection tailored to your application' Accelerate incident response with contextual threat intelligence and automated routing to reduce alert volume by up to 80%. **Is it for me?** + Ideal if your SOC team is overwhelmed with security alerts and needs better context for prioritization. Add exclusive context to your alerts and automate incident response with up to 30+ IP reputation enrichment dimensions. @@ -225,6 +234,7 @@ Add exclusive context to your alerts and automate incident response with up to 3 Enable proactive threat hunting with access to global intelligence from 190+ countries, often 7-60 days ahead of other vendors. **Is it for me?** + Ideal if you have a threat hunting team that needs fresh, contextual intelligence for proactive security investigations. Good option if you want to correlate local events with global attack patterns and emerging threats.