From eb92cc323b7553da2dec0bed7ebf57c4ca584f14 Mon Sep 17 00:00:00 2001 From: mazzma12 Date: Tue, 22 Apr 2025 11:43:48 +0200 Subject: [PATCH 1/3] Add overview description for CTI classification table --- .../cti_api/taxonomy/classifications.mdx | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx b/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx index 629879f3e..194264188 100644 --- a/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx +++ b/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx @@ -23,7 +23,34 @@ export const exclude = ["scanner:"] -This classification page provides a taxonomy of IP addresses that exhibit potentially suspicious behaviors. These classifications are designed to help you identify and respond to various threat actors and malicious activities. +Classification of Threat Intelligence follows the format “cateogry:name”, where category is a broad type of of classification encapsulating different elements. +A summary of the main classification category is provided below, and you can use the search bar in the table to filter the classification you are looking for. + +## Hosts Malware +Hosts identified as hosting live payloads associated with known malware families. +Botnet +Hosts associated with known botnets, based on the exploited CVE(s) and the payload they spread (e.g. Mirai). +## Profile +A type of classification that relates to the exposed services on the machine. Examples: +`profile:insecure_services`: IP exposing dangerous services (e.g. Telnet, RDP, etc.) +`profile:fake_rdns`: IP reverse DNS doesn't resolve to the IP address + +## AI Crawler + +AI Company using crawlers to index the data used to train Large Language Models. Such companies are heavy consumers of the internet bandwidth and result in a large amount of traffic. The main companies categorized are Anthropic, OpenAI, Bitdance … They can be directly consumed inside a specialized blocklist available here +AI Search +AI Search engines that are used by users to search the internet. They are coming from an AI agent, and are not used directly to train the AI models compared to the AI crawlers category. But the results is the same in terms of traffic load, as they can be part of an automation workflow + +#### Notes: They can be directly consumed inside a specialized blocklist available here +## Device +## Proxy +Hosts identified as proxies based on the services they expose and/or their behaviour. + +They can be directly consumed inside a specialized blocklist available here +## Cohorts [Experimental] +Cohorts are groups of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time. You can explore the IPs of a cluster using the CTI search query and the classifications.classifications.label field, such as classifications.classifications.label:"Attacker Group: vigilant silver pelican" +The names of the clusters are auto-generated and do not imply any form of attribution. +They are used by CTI teams to perform further investigation. Date: Tue, 22 Apr 2025 12:09:35 +0200 Subject: [PATCH 2/3] Formatting --- .../cti_api/taxonomy/classifications.mdx | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx b/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx index 194264188..8717bdc37 100644 --- a/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx +++ b/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx @@ -28,27 +28,32 @@ A summary of the main classification category is provided below, and you can use ## Hosts Malware Hosts identified as hosting live payloads associated with known malware families. -Botnet +## Botnet Hosts associated with known botnets, based on the exploited CVE(s) and the payload they spread (e.g. Mirai). ## Profile A type of classification that relates to the exposed services on the machine. Examples: -`profile:insecure_services`: IP exposing dangerous services (e.g. Telnet, RDP, etc.) -`profile:fake_rdns`: IP reverse DNS doesn't resolve to the IP address + +- `profile:insecure_services`: IP exposing dangerous services (e.g. Telnet, RDP, etc.) +- `profile:fake_rdns`: IP reverse DNS doesn't resolve to the IP address ## AI Crawler -AI Company using crawlers to index the data used to train Large Language Models. Such companies are heavy consumers of the internet bandwidth and result in a large amount of traffic. The main companies categorized are Anthropic, OpenAI, Bitdance … They can be directly consumed inside a specialized blocklist available here -AI Search +AI Company using crawlers to index the data used to train Large Language Models. Such companies (OpenAPI, ByteDance, Anthropic ... ) are heavy consumers of the internet bandwidth and result in a large amount of traffic. +They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) +## AI Search AI Search engines that are used by users to search the internet. They are coming from an AI agent, and are not used directly to train the AI models compared to the AI crawlers category. But the results is the same in terms of traffic load, as they can be part of an automation workflow -#### Notes: They can be directly consumed inside a specialized blocklist available here +#### Notes: They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) ## Device +The IP is associated with a device having known security weaknesses. + ## Proxy Hosts identified as proxies based on the services they expose and/or their behaviour. -They can be directly consumed inside a specialized blocklist available here +They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/65a56839ec04bcd4f51670be) ## Cohorts [Experimental] -Cohorts are groups of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time. You can explore the IPs of a cluster using the CTI search query and the classifications.classifications.label field, such as classifications.classifications.label:"Attacker Group: vigilant silver pelican" +Cohorts are groups of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time. +You can explore the IPs of a cluster using the CTI search query and the `classifications.classifications.label` : [query example](https://app.crowdsec.net/cti?q=classifications.classifications.label%3A%22Attacker+Group%3A+Bold+Peachpuff+Euphonia%22&page=1). The names of the clusters are auto-generated and do not imply any form of attribution. They are used by CTI teams to perform further investigation. From 32cb8b4c3749743306f76cfe43ffba6907c9cd0a Mon Sep 17 00:00:00 2001 From: mazzma12 Date: Tue, 22 Apr 2025 14:35:50 +0200 Subject: [PATCH 3/3] fixup --- .../unversioned/cti_api/taxonomy/classifications.mdx | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx b/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx index 8717bdc37..de658d0bb 100644 --- a/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx +++ b/crowdsec-docs/unversioned/cti_api/taxonomy/classifications.mdx @@ -23,7 +23,7 @@ export const exclude = ["scanner:"] -Classification of Threat Intelligence follows the format “cateogry:name”, where category is a broad type of of classification encapsulating different elements. +Classification of Threat Intelligence follows the format “cateogry:name”, where category is a broad type of classification encapsulating different elements. A summary of the main classification category is provided below, and you can use the search bar in the table to filter the classification you are looking for. ## Hosts Malware @@ -39,18 +39,16 @@ A type of classification that relates to the exposed services on the machine. Ex ## AI Crawler AI Company using crawlers to index the data used to train Large Language Models. Such companies (OpenAPI, ByteDance, Anthropic ... ) are heavy consumers of the internet bandwidth and result in a large amount of traffic. -They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) +They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0). ## AI Search AI Search engines that are used by users to search the internet. They are coming from an AI agent, and are not used directly to train the AI models compared to the AI crawlers category. But the results is the same in terms of traffic load, as they can be part of an automation workflow +IPs can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0). -#### Notes: They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0) ## Device The IP is associated with a device having known security weaknesses. ## Proxy -Hosts identified as proxies based on the services they expose and/or their behaviour. - -They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/65a56839ec04bcd4f51670be) +Hosts identified as proxies based on the services they expose and/or their behaviour. IPs be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/65a56839ec04bcd4f51670be) ## Cohorts [Experimental] Cohorts are groups of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time. You can explore the IPs of a cluster using the CTI search query and the `classifications.classifications.label` : [query example](https://app.crowdsec.net/cti?q=classifications.classifications.label%3A%22Attacker+Group%3A+Bold+Peachpuff+Euphonia%22&page=1).