CrowdSec provides real-time, crowdsourced IP reputation intelligence that allows cyber security teams to obtain data on intrusion attempts, origins, and trends. The CrowdSec CTI API provides frictionless access to accurate cyber threat intelligence, enabling you perform threat research on your log files in Gigasheet. The smoke dataset reflects most of the IPs reported by Crowdsec users.
Provider Website: https://www.crowdsec.net/
Provider Enrichment Docs: https://crowdsecurity.github.io/cti-api/#/default/get_smoke
Endpoint: https://cti.api.crowdsec.net/v2/smoke/126.96.36.199 | jq|
Token / Registration Required: Yes
How To Enrich A Spreadsheet With CrowdSec CTI API:
For this example, my data contains a list of the Top 10 of the most aggressive IPs detected by the CrowdSec community during the last 24 hours. These IPs are listed within the CrowdSec console, and are updated in real time.
Step 1. In Gigasheet, head to the Enrichments function and select Custom Enrichment. First we paste in the HTTP request from the CrowdSec CTI API.
Step 2. On the next screen we’ll insert the column variable from our Gigasheet sheet for the prompt. In this case, we highlight the IP Address, “188.8.131.52”, in the input, and then select our IP Address column and click +Insert Column Reference. We also need to highlight the “YOUR_API_KEY” and paste our real key from CrowdSec. Then click Next.
Step 3. In this screen we see a preview of the results. Gigasheet makes requests for the first three rows and shows the CrowdSec API response. At this point select the fields you want to be inserted into your sheet. We recommend hitting Select All since you can easily delete columns in Gigasheet.
Step 4. Finally, confirm the number of requests is to your liking, and when ready click Run to kickoff the custom enrichment process. It’s ok to leave or close the sheet; the custom enrichment will keep running and you’ll receive an email once the job has been completed. You can monitor the progress of your enrichment, or cancel the job at the top of the sheet.
Step 5. Once completed, new columns will be inserted into your sheet based on the CrowdSec CTI API. The IP Addresses have been enriched with information from CrowdSec’s smoke dataset, reflecting the IPs reported by Crowdsec users.
Here is a sample of the Threat Intelligence provided by CrowdSec for the malicious IP Addresses.