Skip to main content

Investigating an IP Address

CrowdSec’s Cyber Threat Intelligence (CTI) platform provides detailed insights into IP addresses, enabling you to assess their risk levels, threat types, and historical activities.

CTI Report

IP Title and Status

The title section prominently displays the IP address and its status, indicating its current classification:

CTI Report Title

  • Malicious: The IP has been verified as actively malicious. Immediate remediation is recommended.
  • Suspicious: This IP has been flagged in many reports and is a potential threat. Further investigation and use of CAPTCHA is recommended.
  • Known: This IP has been flagged in some reports but we don't have sufficient information yet to conclusively determine the threat level.
  • Benign: This IP has been flagged as benign and poses no threat.
  • Safe: This IP belongs to a legitimate service. Activity is not malicious.
  • Unknown: This IP is either unknown or has not been reported in the past three months.

Key Information

This section summarizes essential metadata about the IP, including:

CTI Report Key information

  • Confidence Level: CrowdSec’s trust level in the data associated with this IP, helping users gauge reliability.
  • First Seen: The earliest recorded interaction of the IP.
  • Last Seen: The most recent observation of its activity.
  • Country: The geographical location of the IP.
  • Known For: A brief description of the IP’s activities. A breakdown of why the IP is flagged, such as:
    • Brute Force Attacks
    • Credential Stuffing
    • Port Scanning
    • Other Known Threat Patterns
  • MITRE Techniques Links or references to specific MITRE ATT&CK techniques that align with the IP’s behavior.
  • Background Noise: A measure of how much "noise" the IP generates on the internet:
    • High Background Noise: Often linked to scanning activities, targeting multiple systems indiscriminately.
    • Low Background Noise: Indicates focused attacks on specific targets, suggesting a more strategic approach or a newer threat actor.

Majority Report

This section provides insights from CrowdSec’s Quarterly Report, offering a broader context of cybersecurity trends and observations relevant to all known IPs

CTI Report majority report

You can find the full report here.

IP Range, AS, and Reverse DNS

This section offers additional related details:

CTI Report More key infos

IP Range

Shows if the IP range associated with this IP has been flagged as aggressive.

Autonomous System (AS)

Displays the internet service provider or network operator linked to the IP.

Reverse DNS

The reverse DNS record, if available, providing additional clues about the IP’s origin or intent.

IP Classification

CrowdSec’s detailed categorization of the IP based on its observed behavior. This classification aligns with CrowdSec’s internal standards and criteria.

Activity Timeline

A summary of the IP’s recent activity, showing its aggressiveness over time:

CTI Report activity timeline

  • Activity in the last 24 hours
  • Activity in the last 7 days
  • Activity in the last month
  • Activity in the last 3 months

Blocklists

Indicates the blocklists where the IP is currently listed. These are provided by CrowdSec to community for preemptive blocking.

CTI Report blocklists

It allows to:

  • View whether the IP is on free or premium blocklists.
  • Click through to explore the relevant blocklists.

Browse the full CrowdSec blocklists catalog here. And subscribe to it to enhance your security.

Detailed Classifications

A deeper dive into the IP’s classification, providing Name of the Classification and Description:

CTI Report detailed classifications

Targeted Countries

Displays the list of countries most affected by this IP, helping users understand its geographical focus.

CTI Report top target countries

Attack Details

Breaks down specific types of attacks linked to the IP, such as:

CTI Report attack details

  • Aggressive Crawling
  • Bad User Agents
  • HTTP Probing
  • Admin Interface Probing
  • Nginx Request Limit Exceeded
  • Other known attack behaviors as detailed in CrowdSec’s Hub.

Feedbacks

CrowdSec invites community to participate in improving threat intelligence by:

CTI Report share opinion

  • Telling CrowdSec if you own the IP.
  • Reporting the IP as a false positive if deemed safe.
  • Confirming the IP as a bad actor if malicious behavior is verified.

Security Engine Reports

Only available when logged in via the CrowdSec console. You can login to the CrowdSec console here.

This section provides a detailed Security Engine Report for the IP, showing how it interacted with the your security stack:

CTI Report security engines report

  • Allows organization's users to add comments to the report, share insights, or annotate findings.
  • Shared comments are visible across all members of the user’s organization, fostering collaboration.

Conclusion

The CrowdSec IP Detail Report Page serves as a centralized hub for analyzing and understanding IP behaviors. By presenting detailed insights, real-time activity, and community-driven intelligence, CrowdSec empowers users to make informed decisions about their cybersecurity defenses.

Start the investigation of your first IP here.