Investigating an IP Address
CrowdSec’s Cyber Threat Intelligence (CTI) platform provides detailed insights into IP addresses, enabling you to assess their risk levels, threat types, and historical activities.
IP Title and Status
The title section prominently displays the IP address and its status, indicating its current classification:
- Malicious: The IP has been verified as actively malicious. Immediate remediation is recommended.
- Suspicious: This IP has been flagged in many reports and is a potential threat. Further investigation and use of CAPTCHA is recommended.
- Known: This IP has been flagged in some reports but we don't have sufficient information yet to conclusively determine the threat level.
- Benign: This IP has been flagged as benign and poses no threat.
- Safe: This IP belongs to a legitimate service. Activity is not malicious.
- Unknown: This IP is either unknown or has not been reported in the past three months.
Key Information
This section summarizes essential metadata about the IP, including:
- Confidence Level: CrowdSec’s trust level in the data associated with this IP, helping users gauge reliability.
- First Seen: The earliest recorded interaction of the IP.
- Last Seen: The most recent observation of its activity.
- Country: The geographical location of the IP.
- Known For: A brief description of the IP’s activities. A breakdown of why the IP is flagged, such as:
- Brute Force Attacks
- Credential Stuffing
- Port Scanning
- Other Known Threat Patterns
- MITRE Techniques Links or references to specific MITRE ATT&CK techniques that align with the IP’s behavior.
- Background Noise: A measure of how much "noise" the IP generates on the internet:
- High Background Noise: Often linked to scanning activities, targeting multiple systems indiscriminately.
- Low Background Noise: Indicates focused attacks on specific targets, suggesting a more strategic approach or a newer threat actor.
Majority Report
This section provides insights from CrowdSec’s Quarterly Report, offering a broader context of cybersecurity trends and observations relevant to all known IPs
You can find the full report here.
IP Range, AS, and Reverse DNS
This section offers additional related details:
IP Range
Shows if the IP range associated with this IP has been flagged as aggressive.
Autonomous System (AS)
Displays the internet service provider or network operator linked to the IP.
Reverse DNS
The reverse DNS record, if available, providing additional clues about the IP’s origin or intent.
IP Classification
CrowdSec’s detailed categorization of the IP based on its observed behavior. This classification aligns with CrowdSec’s internal standards and criteria.
Activity Timeline
A summary of the IP’s recent activity, showing its aggressiveness over time:
- Activity in the last 24 hours
- Activity in the last 7 days
- Activity in the last month
- Activity in the last 3 months
Blocklists
Indicates the blocklists where the IP is currently listed. These are provided by CrowdSec to community for preemptive blocking.
It allows to:
- View whether the IP is on free or premium blocklists.
- Click through to explore the relevant blocklists.
Browse the full CrowdSec blocklists catalog here. And subscribe to it to enhance your security.
Detailed Classifications
A deeper dive into the IP’s classification, providing Name of the Classification and Description:
Targeted Countries
Displays the list of countries most affected by this IP, helping users understand its geographical focus.
Attack Details
Breaks down specific types of attacks linked to the IP, such as:
- Aggressive Crawling
- Bad User Agents
- HTTP Probing
- Admin Interface Probing
- Nginx Request Limit Exceeded
- Other known attack behaviors as detailed in CrowdSec’s Hub.
Feedbacks
CrowdSec invites community to participate in improving threat intelligence by:
- Telling CrowdSec if you own the IP.
- Reporting the IP as a false positive if deemed safe.
- Confirming the IP as a bad actor if malicious behavior is verified.
Security Engine Reports
Only available when logged in via the CrowdSec console. You can login to the CrowdSec console here.
This section provides a detailed Security Engine Report for the IP, showing how it interacted with the your security stack:
- Allows organization's users to add comments to the report, share insights, or annotate findings.
- Shared comments are visible across all members of the user’s organization, fostering collaboration.
Conclusion
The CrowdSec IP Detail Report Page serves as a centralized hub for analyzing and understanding IP behaviors. By presenting detailed insights, real-time activity, and community-driven intelligence, CrowdSec empowers users to make informed decisions about their cybersecurity defenses.
Start the investigation of your first IP here.