diff --git a/crowdsec-docs/static/img/console/notification_integrations/admin.png b/crowdsec-docs/static/img/console/notification_integrations/admin.png
new file mode 100644
index 000000000..91b27eed3
Binary files /dev/null and b/crowdsec-docs/static/img/console/notification_integrations/admin.png differ
diff --git a/crowdsec-docs/static/img/console/notification_integrations/stack.png b/crowdsec-docs/static/img/console/notification_integrations/stack.png
new file mode 100644
index 000000000..4f0bb8277
Binary files /dev/null and b/crowdsec-docs/static/img/console/notification_integrations/stack.png differ
diff --git a/crowdsec-docs/static/img/console/notification_integrations/threat-hunting.png b/crowdsec-docs/static/img/console/notification_integrations/threat-hunting.png
new file mode 100644
index 000000000..2f4aaf230
Binary files /dev/null and b/crowdsec-docs/static/img/console/notification_integrations/threat-hunting.png differ
diff --git a/crowdsec-docs/unversioned/console/notification_integrations/webhook.mdx b/crowdsec-docs/unversioned/console/notification_integrations/webhook.mdx
index d4db089c3..1be1004bd 100644
--- a/crowdsec-docs/unversioned/console/notification_integrations/webhook.mdx
+++ b/crowdsec-docs/unversioned/console/notification_integrations/webhook.mdx
@@ -6,7 +6,7 @@ title: Webhook
## Install the webhook integration
-Installing the webhook integration allow you to configure any webhook URL when configuring your notification rule.
+Installing the webhook integration allows you to configure any webhook URL when configuring your notification rule.
1. In the [CrowdSec Console](https://app.crowdsec.net), navigate to **Settings > Integrations** and then select **Activate** in the Webhook row.
@@ -27,45 +27,67 @@ Installing the webhook integration allow you to configure any webhook URL when c
### Authentication
-For the authentication part, the webhook integration support the following methods:
+For the authentication part, the webhook integration supports the following methods:
- - `HTTP Header name` / `HTTP Header value` : You can provide a specific header name with a specific header value for the webhook integration to authenticate against your webhook URL
- - [`Basic auth`](https://en.wikipedia.org/wiki/Basic_access_authentication) : You can use [`basic auth`](https://en.wikipedia.org/wiki/Basic_access_authentication) (user/password) for the webhook integration to authenticate against your webhook URL
+#### Bearer (HTTP Header)
+You can provide a specific header name with a specific header value for the webhook integration to authenticate against your webhook URL.
-### Configuration
+Typically we would expect users to use [`Authorization`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Authorization) header using the [`Bearer`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Authentication#bearer) scheme.
-:::warning
+However, you can send any header and any value.
+
+#### Basic Authentication
+
+You can use [`basic auth`](https://en.wikipedia.org/wiki/Basic_access_authentication) (user/password) for the webhook integration to authenticate against your webhook URL
-You can’t ping the webhook URL while in edit mode.
+### Configuration
+:::warning
+Ping testing is only available during initial creation of the webhook once saved this option is no longer available to prevent abuse.
:::
You can configure your custom Webhook URL and authentication by adding a new destination in your notification rule:
:::info
-
-If the HTTPs endpoint certificate is not valid, you can choose to disable SSL verification.
-
+If you are using a self-signed certificate or a non-trusted root certificate authority, you can disable SSL verification otherwise known as TLS verification.
:::
:::info
-
-The webhook integration is doing POST request to the destination endpoint.
-
+All requests sent to your URL are `POST` requests
:::
-
### Retry
If a notification fails to be sent through the webhook integration, the system will automatically retry sending it. It will try up to 5 times, with a longer wait between each attempt.
+#### Retry Scenarios
+
+The webhook integration will retry in the following scenarios:
+
+- Non-200 HTTP status codes returned from the webhook endpoint
+- Network connectivity issues:
+ - DNS resolution failures
+ - Connection timeouts (30 seconds to receive a response)
+ - Connection refused errors
+ - TLS/SSL handshake failures (Disable SSL verification if self-signed or non-trusted root CA)
+- Webhook endpoint is temporarily unavailable
+
+## Events Category
+
+### Threat Hunting
+
+
-## Events
+:::info
+Only one option may be checked under this category
+:::
-### `security_engine_long_pending_enroll`
+#### `Is Attacked`
+
+Your organization is under attack, known as the `am I under attack` feature [documentation](console/security_engines/am_i_under_attack.md)
```json
{
@@ -77,10 +99,34 @@ If a notification fails to be sent through the webhook integration, the system w
"event_id": "c6d468d4f1084ebca84165c33f97fbc4",
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
- "id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
- "version": "v1.6.3-rc4",
- "os" : {"name" : "ubuntu", "version": "22.04"},
- "event_type": "security_engine_long_pending_enroll"
+ "event_type": "am_i_under_attack",
+ "start_date": "2025-05-26T12:00:00Z",
+ "end_date": "2025-05-26T14:00:00Z",
+ "segments_with_anomaly": [
+ "2025-05-26T12:15:00Z",
+ "2025-05-26T12:45:00Z",
+ "2025-05-26T13:30:00Z"
+ ],
+ "total_signals": 42,
+ "report_data": {
+ "is_attack_detected": true,
+ "unique_detections": 5,
+ "total_detections": 23,
+ "attack_length": 7200,
+ "first_detection_date": "2025-05-26T12:10:00Z",
+ "last_detection_date": "2025-05-26T13:55:00Z",
+ "increased_percentage": 67.5
+ },
+ "watchers": [
+ {
+ "watcher_uuid": "abc123-watcher-uuid-001",
+ "total_signals": 20
+ },
+ {
+ "watcher_uuid": "def456-watcher-uuid-002",
+ "total_signals": 22
+ }
+ ]
}
}
```
@@ -89,22 +135,78 @@ If a notification fails to be sent through the webhook integration, the system w
```json
{
"$defs": {
- "OperatingSystem": {
+ "AIUAAnomalyReport": {
+ "description": "Key stats about the anomaly detection results.",
"properties": {
- "name": {
- "title": "Name",
+ "is_attack_detected": {
+ "description": "An attack has been detected",
+ "title": "Is Attack Detected",
+ "type": "boolean"
+ },
+ "unique_detections": {
+ "description": "The number of unique detections",
+ "title": "Unique Detections",
+ "type": "integer"
+ },
+ "total_detections": {
+ "description": "The total number of detections",
+ "title": "Total Detections",
+ "type": "integer"
+ },
+ "attack_length": {
+ "description": "The length of the attack",
+ "title": "Attack Length",
+ "type": "integer"
+ },
+ "first_detection_date": {
+ "description": "The first detection date",
+ "format": "date-time",
+ "title": "First Detection Date",
"type": "string"
},
- "version": {
- "title": "Version",
+ "last_detection_date": {
+ "description": "The last detection date",
+ "format": "date-time",
+ "title": "Last Detection Date",
"type": "string"
+ },
+ "increased_percentage": {
+ "description": "The increased percentage",
+ "title": "Increased Percentage",
+ "type": "number"
}
},
"required": [
- "name",
- "version"
+ "is_attack_detected",
+ "unique_detections",
+ "total_detections",
+ "attack_length",
+ "first_detection_date",
+ "last_detection_date",
+ "increased_percentage"
],
- "title": "OperatingSystem",
+ "title": "AIUAAnomalyReport",
+ "type": "object"
+ },
+ "AIUAWatcherReport": {
+ "description": "Key stats about the anomaly detection results.",
+ "properties": {
+ "watcher_uuid": {
+ "description": "The watcher UUID",
+ "title": "Watcher Uuid",
+ "type": "string"
+ },
+ "total_signals": {
+ "description": "The total number of signals",
+ "title": "Total Signals",
+ "type": "integer"
+ }
+ },
+ "required": [
+ "watcher_uuid",
+ "total_signals"
+ ],
+ "title": "AIUAWatcherReport",
"type": "object"
}
},
@@ -154,62 +256,75 @@ If a notification fails to be sent through the webhook integration, the system w
"title": "Event Timestamp",
"type": "string"
},
- "id": {
- "description": "ID of the security engine",
- "examples": [
- "12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
- ],
- "title": "Id",
+ "event_type": {
+ "const": "am_i_under_attack",
+ "default": "am_i_under_attack",
+ "title": "Event Type",
"type": "string"
},
- "version": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
- ],
- "default": null,
- "description": "Version of the security engine",
- "examples": [
- "v1.6.3-rc4"
- ],
- "title": "Version"
+ "start_date": {
+ "description": "The attack start date",
+ "format": "date-time",
+ "title": "Start Date",
+ "type": "string"
},
- "os": {
+ "end_date": {
+ "description": "The attack end date",
+ "format": "date-time",
+ "title": "End Date",
+ "type": "string"
+ },
+ "segments_with_anomaly": {
+ "default": [],
+ "description": "List of detection timestamps",
+ "items": {
+ "format": "date-time",
+ "type": "string"
+ },
+ "title": "Segments With Anomaly",
+ "type": "array"
+ },
+ "total_signals": {
+ "default": 0,
+ "description": "The total number of signals",
+ "title": "Total Signals",
+ "type": "integer"
+ },
+ "report_data": {
"anyOf": [
{
- "$ref": "#/$defs/OperatingSystem"
+ "$ref": "#/$defs/AIUAAnomalyReport"
},
{
"type": "null"
}
],
"default": null,
- "description": "Operating System of the security engine",
- "examples": [
- "Linux"
- ]
+ "description": "Anomaly report data"
},
- "event_type": {
- "const": "security_engine_long_pending_enroll",
- "default": "security_engine_long_pending_enroll",
- "title": "Event Type",
- "type": "string"
+ "watchers": {
+ "default": [],
+ "description": "Watcher reports",
+ "items": {
+ "$ref": "#/$defs/AIUAWatcherReport"
+ },
+ "title": "Watchers",
+ "type": "array"
}
},
"required": [
"event_id",
"organization_id",
"event_timestamp",
- "id",
- "version",
- "os",
- "event_type"
+ "event_type",
+ "start_date",
+ "end_date",
+ "segments_with_anomaly",
+ "total_signals",
+ "report_data",
+ "watchers"
],
- "title": "LongPendingEnroll",
+ "title": "AmIUnderAttack",
"type": "object"
}
},
@@ -221,7 +336,9 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `security_engine_enrolled`
+#### `Alert Triggered`
+
+Your enrolled engines have detected malicious activity and the payload of the webhook contains information surrounding the alert.
```json
{
@@ -233,10 +350,42 @@ If a notification fails to be sent through the webhook integration, the system w
"event_id": "c6d468d4f1084ebca84165c33f97fbc4",
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
- "id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
- "version": "v1.6.3-rc4",
- "os" : {"name" : "ubuntu", "version": "22.04"},
- "event_type": "security_engine_enrolled"
+ "event_type": "alert_triggered",
+ "uuid": "alert-uuid-1234",
+ "message": "Suspicious SSH behavior detected",
+ "scenario": "ssh-brute-force",
+ "behaviors": [
+ {
+ "name": "Brute Force",
+ "description": "Multiple failed SSH login attempts detected in short time",
+ "label": "SSH Brute Force"
+ },
+ {
+ "name": "Port Scan",
+ "description": "Scanning activity detected on multiple ports",
+ "label": "Scan"
+ }
+ ],
+ "start_at": "2025-05-26T18:00:00Z",
+ "stop_at": "2025-05-26T18:10:00Z",
+ "target": {
+ "ip": "192.168.1.10",
+ "id": "machine-01",
+ "name": "internal-server-01"
+ },
+ "source": {
+ "scope": "ip",
+ "value": "203.0.113.25",
+ "as_name": "ExampleISP",
+ "as_number": 64512,
+ "country": "US",
+ "city": "San Francisco",
+ "latitude": 37.7749,
+ "longitude": -122.4194,
+ "rdns": "25.113.0.203.example.com"
+ },
+ "is_manual_decision": false,
+ "scenario_confidence": 85
}
}
```
@@ -245,80 +394,104 @@ If a notification fails to be sent through the webhook integration, the system w
```json
{
"$defs": {
- "OperatingSystem": {
+ "AlertBehavior": {
"properties": {
"name": {
+ "description": "The attack behavior name",
"title": "Name",
"type": "string"
},
- "version": {
- "title": "Version",
+ "description": {
+ "description": "The attack behavior description",
+ "title": "Description",
+ "type": "string"
+ },
+ "label": {
+ "description": "The attack behavior label",
+ "title": "Label",
"type": "string"
}
},
"required": [
"name",
- "version"
+ "description",
+ "label"
],
- "title": "OperatingSystem",
+ "title": "AlertBehavior",
"type": "object"
- }
- },
- "type": "object",
- "properties": {
- "metadata": {
- "type": "object",
+ },
+ "AlertTarget": {
"properties": {
- "version": {
- "type": "integer",
- "const": 1
+ "ip": {
+ "description": "The IP targeted by the attack",
+ "title": "Ip",
+ "type": "string"
},
- "issuer": {
- "type": "string",
- "const": "crowdsec.net"
+ "id": {
+ "description": "The id of the machine targeted by the attack",
+ "title": "Id",
+ "type": "string"
+ },
+ "name": {
+ "anyOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ],
+ "default": null,
+ "description": "The name of the machine targeted by the attack",
+ "title": "Name"
}
},
"required": [
- "version",
- "issuer"
- ]
+ "ip",
+ "id"
+ ],
+ "title": "AlertTarget",
+ "type": "object"
},
- "details": {
+ "AlertSource": {
"properties": {
- "event_id": {
- "description": "ID of the source event",
- "examples": [
- "c6d468d4f1084ebca84165c33f97fbc4"
- ],
- "title": "Event Id",
+ "scope": {
+ "description": "The scope of the value",
+ "title": "Scope",
"type": "string"
},
- "organization_id": {
- "description": "Organization ID of the source event",
- "examples": [
- "12345678-1234-1234-1234-123456789012"
- ],
- "title": "Organization Id",
+ "value": {
+ "description": "The value of the source",
+ "title": "Value",
"type": "string"
},
- "event_timestamp": {
- "description": "Timestamp of the source event",
- "examples": [
- "2021-07-29T12:00:00+00:00"
+ "as_name": {
+ "anyOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
],
- "format": "date-time",
- "title": "Event Timestamp",
- "type": "string"
+ "default": null,
+ "description": "The AS name of the source",
+ "title": "As Name"
},
- "id": {
- "description": "ID of the security engine",
- "examples": [
- "12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
+ "as_number": {
+ "anyOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "type": "null"
+ }
],
- "title": "Id",
- "type": "string"
+ "default": null,
+ "description": "The AS number of the source",
+ "title": "As Number"
},
- "version": {
+ "country": {
"anyOf": [
{
"type": "string"
@@ -328,95 +501,67 @@ If a notification fails to be sent through the webhook integration, the system w
}
],
"default": null,
- "description": "Version of the security engine",
- "examples": [
- "v1.6.3-rc4"
+ "description": "The country of the source",
+ "title": "Country"
+ },
+ "city": {
+ "anyOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
],
- "title": "Version"
+ "default": null,
+ "description": "The city of the source",
+ "title": "City"
},
- "os": {
+ "latitude": {
"anyOf": [
{
- "$ref": "#/$defs/OperatingSystem"
+ "type": "number"
},
{
"type": "null"
}
],
"default": null,
- "description": "Operating System of the security engine",
- "examples": [
- "Linux"
- ]
+ "description": "The latitude of the source",
+ "title": "Latitude"
},
- "event_type": {
- "const": "security_engine_enrolled",
- "default": "security_engine_enrolled",
- "title": "Event Type",
- "type": "string"
- }
- },
- "required": [
- "event_id",
- "organization_id",
- "event_timestamp",
- "id",
- "version",
- "os",
- "event_type"
- ],
- "title": "SecurityEngineEnrolled",
- "type": "object"
- }
- },
- "required": [
- "metadata",
- "details"
- ]
-}
-```
-
-
-### `security_engine_unenrolled`
-
-```json
-{
- "metadata": {
- "version": 1,
- "issuer": "crowdsec.net"
- },
- "details": {
- "event_id": "c6d468d4f1084ebca84165c33f97fbc4",
- "organization_id": "12345678-1234-1234-1234-123456789012",
- "event_timestamp": "2021-07-29T12:00:00+00:00",
- "id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
- "version": "v1.6.3-rc4",
- "os" : {"name" : "ubuntu", "version": "22.04"},
- "event_type": "security_engine_unenrolled"
- }
-}
-```
-
-JSON Schema
-```json
-{
- "$defs": {
- "OperatingSystem": {
- "properties": {
- "name": {
- "title": "Name",
- "type": "string"
+ "longitude": {
+ "anyOf": [
+ {
+ "type": "number"
+ },
+ {
+ "type": "null"
+ }
+ ],
+ "default": null,
+ "description": "The longitude of the source",
+ "title": "Longitude"
},
- "version": {
- "title": "Version",
- "type": "string"
+ "rdns": {
+ "anyOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ],
+ "default": null,
+ "description": "The rDNS of the source",
+ "title": "Rdns"
}
},
"required": [
- "name",
- "version"
+ "scope",
+ "value"
],
- "title": "OperatingSystem",
+ "title": "AlertSource",
"type": "object"
}
},
@@ -466,15 +611,13 @@ If a notification fails to be sent through the webhook integration, the system w
"title": "Event Timestamp",
"type": "string"
},
- "id": {
- "description": "ID of the security engine",
- "examples": [
- "12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
- ],
- "title": "Id",
+ "event_type": {
+ "const": "alert_triggered",
+ "default": "alert_triggered",
+ "title": "Event Type",
"type": "string"
},
- "version": {
+ "uuid": {
"anyOf": [
{
"type": "string"
@@ -484,44 +627,86 @@ If a notification fails to be sent through the webhook integration, the system w
}
],
"default": null,
- "description": "Version of the security engine",
- "examples": [
- "v1.6.3-rc4"
- ],
- "title": "Version"
+ "description": "The alert UUID",
+ "title": "Uuid"
},
- "os": {
+ "message": {
"anyOf": [
{
- "$ref": "#/$defs/OperatingSystem"
+ "type": "string"
},
{
"type": "null"
}
],
"default": null,
- "description": "Operating System of the security engine",
- "examples": [
- "Linux"
- ]
+ "description": "The alert message",
+ "title": "Message"
},
- "event_type": {
- "const": "security_engine_unenrolled",
- "default": "security_engine_unenrolled",
- "title": "Event Type",
+ "scenario": {
+ "description": "The attack scenario",
+ "title": "Scenario",
+ "type": "string"
+ },
+ "behaviors": {
+ "default": [],
+ "description": "The attack behaviors",
+ "items": {
+ "$ref": "#/$defs/AlertBehavior"
+ },
+ "title": "Behaviors",
+ "type": "array"
+ },
+ "start_at": {
+ "description": "The attack start time",
+ "format": "date-time",
+ "title": "Start At",
+ "type": "string"
+ },
+ "stop_at": {
+ "description": "The attack stop time",
+ "format": "date-time",
+ "title": "Stop At",
"type": "string"
+ },
+ "target": {
+ "$ref": "#/$defs/AlertTarget",
+ "description": "The target of the attack"
+ },
+ "source": {
+ "$ref": "#/$defs/AlertSource",
+ "description": "The source of the attack"
+ },
+ "is_manual_decision": {
+ "default": false,
+ "description": "Whether the decision was created manually",
+ "title": "Is Manual Decision",
+ "type": "boolean"
+ },
+ "scenario_confidence": {
+ "default": 0,
+ "description": "The confidence of the scenario",
+ "title": "Scenario Confidence",
+ "type": "integer"
}
},
"required": [
"event_id",
"organization_id",
"event_timestamp",
- "id",
- "version",
- "os",
- "event_type"
+ "event_type",
+ "uuid",
+ "message",
+ "scenario",
+ "behaviors",
+ "start_at",
+ "stop_at",
+ "target",
+ "source",
+ "is_manual_decision",
+ "scenario_confidence"
],
- "title": "SecurityEngineUnenrolled",
+ "title": "AlertTriggered",
"type": "object"
}
},
@@ -533,7 +718,17 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `component_outdated`
+### Stack
+
+
+
+:::info
+Multiple options can be selected in this category
+:::
+
+#### `Security Engine Enrolled`
+
+A engine has been accepted to be enrolled within your organization or personal account
```json
{
@@ -545,10 +740,10 @@ If a notification fails to be sent through the webhook integration, the system w
"event_id": "c6d468d4f1084ebca84165c33f97fbc4",
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
- "event_type": "component_outdated",
- "nb_remediation_component": 10,
- "nb_log_processor": 10,
- "nb_security_engine": 10
+ "id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
+ "version": "v1.6.3-rc4",
+ "os" : {"name" : "ubuntu", "version": "22.04"},
+ "event_type": "security_engine_enrolled"
}
}
```
@@ -556,7 +751,26 @@ If a notification fails to be sent through the webhook integration, the system w
JSON Schema
```json
{
- "$defs": {},
+ "$defs": {
+ "OperatingSystem": {
+ "properties": {
+ "name": {
+ "title": "Name",
+ "type": "string"
+ },
+ "version": {
+ "title": "Version",
+ "type": "string"
+ }
+ },
+ "required": [
+ "name",
+ "version"
+ ],
+ "title": "OperatingSystem",
+ "type": "object"
+ }
+ },
"type": "object",
"properties": {
"metadata": {
@@ -603,47 +817,62 @@ If a notification fails to be sent through the webhook integration, the system w
"title": "Event Timestamp",
"type": "string"
},
- "event_type": {
- "const": "component_outdated",
- "default": "component_outdated",
- "title": "Event Type",
- "type": "string"
- },
- "nb_remediation_component": {
- "description": "Number of remediation component",
+ "id": {
+ "description": "ID of the security engine",
"examples": [
- 10
+ "12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
],
- "title": "Nb Remediation Component",
- "type": "integer"
+ "title": "Id",
+ "type": "string"
},
- "nb_log_processor": {
- "description": "Number of log processor",
+ "version": {
+ "anyOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ],
+ "default": null,
+ "description": "Version of the security engine",
"examples": [
- 10
+ "v1.6.3-rc4"
],
- "title": "Nb Log Processor",
- "type": "integer"
+ "title": "Version"
},
- "nb_security_engine": {
- "description": "Number of security engine",
- "examples": [
- 10
+ "os": {
+ "anyOf": [
+ {
+ "$ref": "#/$defs/OperatingSystem"
+ },
+ {
+ "type": "null"
+ }
],
- "title": "Nb Security Engine",
- "type": "integer"
+ "default": null,
+ "description": "Operating System of the security engine",
+ "examples": [
+ "Linux"
+ ]
+ },
+ "event_type": {
+ "const": "security_engine_enrolled",
+ "default": "security_engine_enrolled",
+ "title": "Event Type",
+ "type": "string"
}
},
"required": [
"event_id",
"organization_id",
"event_timestamp",
- "event_type",
- "nb_remediation_component",
- "nb_log_processor",
- "nb_security_engine"
+ "id",
+ "version",
+ "os",
+ "event_type"
],
- "title": "ComponentOutdated",
+ "title": "SecurityEngineEnrolled",
"type": "object"
}
},
@@ -655,7 +884,13 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `security_engine_offline`
+#### `Security Engine Unenrolled`
+
+Security engine has been removed from your organization or personal account
+
+This can happen under these scenarios:
+- User has manually removed the engine
+- Automatic removal has occurred due to `Settings > Security Engines > Inactive Policy`
```json
{
@@ -670,9 +905,7 @@ If a notification fails to be sent through the webhook integration, the system w
"id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
"version": "v1.6.3-rc4",
"os" : {"name" : "ubuntu", "version": "22.04"},
- "event_type": "security_engine_offline",
- "last_login": "2024-09-17T07:06:21",
- "name": "MySecurityEngine"
+ "event_type": "security_engine_unenrolled"
}
}
```
@@ -785,30 +1018,11 @@ If a notification fails to be sent through the webhook integration, the system w
"Linux"
]
},
- "last_login": {
- "title": "Last Login",
- "type": "string"
- },
"event_type": {
- "const": "security_engine_offline",
- "default": "security_engine_offline",
+ "const": "security_engine_unenrolled",
+ "default": "security_engine_unenrolled",
"title": "Event Type",
"type": "string"
- },
- "name": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
- ],
- "description": "Name of the security engine",
- "examples": [
- "MySecurityEngine"
- ],
- "title": "Name"
}
},
"required": [
@@ -818,11 +1032,9 @@ If a notification fails to be sent through the webhook integration, the system w
"id",
"version",
"os",
- "last_login",
- "event_type",
- "name"
+ "event_type"
],
- "title": "SecurityEngineOffline",
+ "title": "SecurityEngineUnenrolled",
"type": "object"
}
},
@@ -834,8 +1046,7 @@ If a notification fails to be sent through the webhook integration, the system w
```
-
-### `security_engine_no_alerts`
+#### `Security Engine Long Pending Enroll`
```json
{
@@ -850,9 +1061,7 @@ If a notification fails to be sent through the webhook integration, the system w
"id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
"version": "v1.6.3-rc4",
"os" : {"name" : "ubuntu", "version": "22.04"},
- "last_push": "2024-09-17T07:06:21",
- "event_type": "security_engine_no_alerts",
- "name": "MySecurityEngine"
+ "event_type": "security_engine_long_pending_enroll"
}
}
```
@@ -965,34 +1174,11 @@ If a notification fails to be sent through the webhook integration, the system w
"Linux"
]
},
- "last_push": {
- "description": "Last time the security engine pushed",
- "examples": [
- "2024-09-17T07:06:21"
- ],
- "title": "Last Push",
- "type": "string"
- },
"event_type": {
- "const": "security_engine_no_alerts",
- "default": "security_engine_no_alerts",
+ "const": "security_engine_long_pending_enroll",
+ "default": "security_engine_long_pending_enroll",
"title": "Event Type",
"type": "string"
- },
- "name": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
- ],
- "description": "Name of the security engine",
- "examples": [
- "MySecurityEngine"
- ],
- "title": "Name"
}
},
"required": [
@@ -1002,11 +1188,9 @@ If a notification fails to be sent through the webhook integration, the system w
"id",
"version",
"os",
- "last_push",
- "event_type",
- "name"
+ "event_type"
],
- "title": "SecurityEngineNoAlerts",
+ "title": "LongPendingEnroll",
"type": "object"
}
},
@@ -1018,7 +1202,12 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `remediation_component_offline`
+#### `Firewall Integration Offline`
+
+A [Firewall Integration](integrations/intro.mdx) has been classified as offline.
+
+This can happen for these scenarios:
+- Firewall has not actively pulled the contents for over 24 hours.
```json
{
@@ -1031,10 +1220,9 @@ If a notification fails to be sent through the webhook integration, the system w
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
"id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
- "name": "MyRemediationComponent",
- "version": "v0.22",
- "event_type": "remediation_component_offline",
- "last_pull": "2024-09-17T07:06:21"
+ "name": "MyBlocklistIntegration",
+ "last_pull": "2024-09-17T07:06:21",
+ "event_type": "firewall_integration_offline"
}
}
```
@@ -1090,7 +1278,7 @@ If a notification fails to be sent through the webhook integration, the system w
"type": "string"
},
"id": {
- "description": "ID of the remediation component",
+ "description": "ID of the blocklist integration",
"examples": [
"12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
],
@@ -1098,36 +1286,24 @@ If a notification fails to be sent through the webhook integration, the system w
"type": "string"
},
"name": {
- "description": "Name of the remediation component",
+ "description": "Name of the blocklist integration",
"examples": [
"MyBlocklistIntegration"
],
"title": "Name",
"type": "string"
},
- "version": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
- ],
- "default": null,
- "description": "Version of the remediation component",
+ "last_pull": {
+ "description": "Last time the blocklist integration pulled",
"examples": [
- "v0.22"
+ "2024-09-17T07:06:21"
],
- "title": "Version"
- },
- "last_pull": {
"title": "Last Pull",
"type": "string"
},
"event_type": {
- "const": "remediation_component_offline",
- "default": "remediation_component_offline",
+ "const": "firewall_integration_offline",
+ "default": "firewall_integration_offline",
"title": "Event Type",
"type": "string"
}
@@ -1138,11 +1314,10 @@ If a notification fails to be sent through the webhook integration, the system w
"event_timestamp",
"id",
"name",
- "version",
"last_pull",
"event_type"
],
- "title": "RemediationComponentOffline",
+ "title": "FirewallIntegrationOffline",
"type": "object"
}
},
@@ -1154,8 +1329,12 @@ If a notification fails to be sent through the webhook integration, the system w
```
+#### `Remediation Component Integration Offline`
+
+A [Remediation Component Integration](integrations/remediationcomponent.mdx) has been classified as offline.
-### `log_processor_offline`
+This can happen for these scenarios:
+- Remediation Component has not actively pulled the contents for over 24 hours.
```json
{
@@ -1168,10 +1347,9 @@ If a notification fails to be sent through the webhook integration, the system w
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
"id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
- "name": "MyLogProcessor",
- "version": "v1.6.3-rc4",
- "last_update": "2024-09-17T07:06:21",
- "event_type": "log_processor_offline"
+ "name": "MyBlocklistIntegration",
+ "last_pull": "2024-09-17T07:06:21",
+ "event_type": "remediation_component_integration_offline"
}
}
```
@@ -1227,7 +1405,7 @@ If a notification fails to be sent through the webhook integration, the system w
"type": "string"
},
"id": {
- "description": "ID of the Log Processor",
+ "description": "ID of the blocklist integration",
"examples": [
"12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
],
@@ -1235,40 +1413,24 @@ If a notification fails to be sent through the webhook integration, the system w
"type": "string"
},
"name": {
- "description": "Name of the Log Processor",
+ "description": "Name of the blocklist integration",
"examples": [
- "MyLogProcessor"
+ "MyBlocklistIntegration"
],
"title": "Name",
"type": "string"
},
- "version": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
- ],
- "default": null,
- "description": "Version of the Log Processor",
- "examples": [
- "v1.6.3-rc4"
- ],
- "title": "Version"
- },
- "last_update": {
- "description": "Last time the Log Processor updated",
+ "last_pull": {
+ "description": "Last time the blocklist integration pulled",
"examples": [
"2024-09-17T07:06:21"
],
- "title": "Last Update",
+ "title": "Last Pull",
"type": "string"
},
"event_type": {
- "const": "log_processor_offline",
- "default": "log_processor_offline",
+ "const": "remediation_component_integration_offline",
+ "default": "remediation_component_integration_offline",
"title": "Event Type",
"type": "string"
}
@@ -1279,11 +1441,10 @@ If a notification fails to be sent through the webhook integration, the system w
"event_timestamp",
"id",
"name",
- "version",
- "last_update",
+ "last_pull",
"event_type"
],
- "title": "LogProcessorOffline",
+ "title": "RemediationComponentIntegrationOffline",
"type": "object"
}
},
@@ -1295,8 +1456,9 @@ If a notification fails to be sent through the webhook integration, the system w
```
+#### `Log Processor No Alerts`
-### `log_processor_no_alerts`
+A Log Processor has not pushed any alerts for over 48 hours.
```json
{
@@ -1432,7 +1594,15 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `firewall_integration_offline`
+#### `CrowdSec Stack Component Outdated`
+
+A CrowdSec Stack Component is outdated.
+
+This can happen for these scenarios:
+- A new version of CrowdSec has been released.
+- A new version of a Hub listed Remediation Component has been released**.
+
+**The remediation component must send the semantic version to the Security Engine via the UserAgent header, note that all first party remediation components do this.
```json
{
@@ -1444,10 +1614,10 @@ If a notification fails to be sent through the webhook integration, the system w
"event_id": "c6d468d4f1084ebca84165c33f97fbc4",
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
- "id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
- "name": "MyBlocklistIntegration",
- "last_pull": "2024-09-17T07:06:21",
- "event_type": "firewall_integration_offline"
+ "event_type": "component_outdated",
+ "nb_remediation_component": 10,
+ "nb_log_processor": 10,
+ "nb_security_engine": 10
}
}
```
@@ -1502,47 +1672,47 @@ If a notification fails to be sent through the webhook integration, the system w
"title": "Event Timestamp",
"type": "string"
},
- "id": {
- "description": "ID of the blocklist integration",
- "examples": [
- "12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
- ],
- "title": "Id",
+ "event_type": {
+ "const": "component_outdated",
+ "default": "component_outdated",
+ "title": "Event Type",
"type": "string"
},
- "name": {
- "description": "Name of the blocklist integration",
+ "nb_remediation_component": {
+ "description": "Number of remediation component",
"examples": [
- "MyBlocklistIntegration"
+ 10
],
- "title": "Name",
- "type": "string"
+ "title": "Nb Remediation Component",
+ "type": "integer"
},
- "last_pull": {
- "description": "Last time the blocklist integration pulled",
+ "nb_log_processor": {
+ "description": "Number of log processor",
"examples": [
- "2024-09-17T07:06:21"
+ 10
],
- "title": "Last Pull",
- "type": "string"
+ "title": "Nb Log Processor",
+ "type": "integer"
},
- "event_type": {
- "const": "firewall_integration_offline",
- "default": "firewall_integration_offline",
- "title": "Event Type",
- "type": "string"
+ "nb_security_engine": {
+ "description": "Number of security engine",
+ "examples": [
+ 10
+ ],
+ "title": "Nb Security Engine",
+ "type": "integer"
}
},
"required": [
"event_id",
"organization_id",
"event_timestamp",
- "id",
- "name",
- "last_pull",
- "event_type"
+ "event_type",
+ "nb_remediation_component",
+ "nb_log_processor",
+ "nb_security_engine"
],
- "title": "FirewallIntegrationOffline",
+ "title": "ComponentOutdated",
"type": "object"
}
},
@@ -1554,7 +1724,9 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `remediation_component_integration_offline`
+#### `Log Processor Offline`
+
+A Log Processor has been offline for more than 24 hours.
```json
{
@@ -1567,9 +1739,10 @@ If a notification fails to be sent through the webhook integration, the system w
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
"id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
- "name": "MyBlocklistIntegration",
- "last_pull": "2024-09-17T07:06:21",
- "event_type": "remediation_component_integration_offline"
+ "name": "MyLogProcessor",
+ "version": "v1.6.3-rc4",
+ "last_update": "2024-09-17T07:06:21",
+ "event_type": "log_processor_offline"
}
}
```
@@ -1625,7 +1798,7 @@ If a notification fails to be sent through the webhook integration, the system w
"type": "string"
},
"id": {
- "description": "ID of the blocklist integration",
+ "description": "ID of the Log Processor",
"examples": [
"12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
],
@@ -1633,24 +1806,40 @@ If a notification fails to be sent through the webhook integration, the system w
"type": "string"
},
"name": {
- "description": "Name of the blocklist integration",
+ "description": "Name of the Log Processor",
"examples": [
- "MyBlocklistIntegration"
+ "MyLogProcessor"
],
"title": "Name",
"type": "string"
},
- "last_pull": {
- "description": "Last time the blocklist integration pulled",
+ "version": {
+ "anyOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ],
+ "default": null,
+ "description": "Version of the Log Processor",
+ "examples": [
+ "v1.6.3-rc4"
+ ],
+ "title": "Version"
+ },
+ "last_update": {
+ "description": "Last time the Log Processor updated",
"examples": [
"2024-09-17T07:06:21"
],
- "title": "Last Pull",
+ "title": "Last Update",
"type": "string"
},
"event_type": {
- "const": "remediation_component_integration_offline",
- "default": "remediation_component_integration_offline",
+ "const": "log_processor_offline",
+ "default": "log_processor_offline",
"title": "Event Type",
"type": "string"
}
@@ -1661,10 +1850,11 @@ If a notification fails to be sent through the webhook integration, the system w
"event_timestamp",
"id",
"name",
- "last_pull",
+ "version",
+ "last_update",
"event_type"
],
- "title": "RemediationComponentIntegrationOffline",
+ "title": "LogProcessorOffline",
"type": "object"
}
},
@@ -1676,7 +1866,9 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `payment_failed`
+#### `Remediation Component Offline`
+
+A Remediation Component has not pulled from the Security Engine in over 24 hours.
```json
{
@@ -1688,7 +1880,11 @@ If a notification fails to be sent through the webhook integration, the system w
"event_id": "c6d468d4f1084ebca84165c33f97fbc4",
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
- "event_type": "payment_failed"
+ "id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
+ "name": "MyRemediationComponent",
+ "version": "v0.22",
+ "event_type": "remediation_component_offline",
+ "last_pull": "2024-09-17T07:06:21"
}
}
```
@@ -1743,9 +1939,45 @@ If a notification fails to be sent through the webhook integration, the system w
"title": "Event Timestamp",
"type": "string"
},
+ "id": {
+ "description": "ID of the remediation component",
+ "examples": [
+ "12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
+ ],
+ "title": "Id",
+ "type": "string"
+ },
+ "name": {
+ "description": "Name of the remediation component",
+ "examples": [
+ "MyBlocklistIntegration"
+ ],
+ "title": "Name",
+ "type": "string"
+ },
+ "version": {
+ "anyOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ],
+ "default": null,
+ "description": "Version of the remediation component",
+ "examples": [
+ "v0.22"
+ ],
+ "title": "Version"
+ },
+ "last_pull": {
+ "title": "Last Pull",
+ "type": "string"
+ },
"event_type": {
- "const": "payment_failed",
- "default": "payment_failed",
+ "const": "remediation_component_offline",
+ "default": "remediation_component_offline",
"title": "Event Type",
"type": "string"
}
@@ -1754,9 +1986,13 @@ If a notification fails to be sent through the webhook integration, the system w
"event_id",
"organization_id",
"event_timestamp",
+ "id",
+ "name",
+ "version",
+ "last_pull",
"event_type"
],
- "title": "PremiumPaymentFailed",
+ "title": "RemediationComponentOffline",
"type": "object"
}
},
@@ -1768,7 +2004,9 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `am_i_under_attack`
+#### `Security Engine No Alerts`
+
+A Security Engine has not pushed any alerts for over 48 hours.
```json
{
@@ -1780,34 +2018,12 @@ If a notification fails to be sent through the webhook integration, the system w
"event_id": "c6d468d4f1084ebca84165c33f97fbc4",
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
- "event_type": "am_i_under_attack",
- "start_date": "2025-05-26T12:00:00Z",
- "end_date": "2025-05-26T14:00:00Z",
- "segments_with_anomaly": [
- "2025-05-26T12:15:00Z",
- "2025-05-26T12:45:00Z",
- "2025-05-26T13:30:00Z"
- ],
- "total_signals": 42,
- "report_data": {
- "is_attack_detected": true,
- "unique_detections": 5,
- "total_detections": 23,
- "attack_length": 7200,
- "first_detection_date": "2025-05-26T12:10:00Z",
- "last_detection_date": "2025-05-26T13:55:00Z",
- "increased_percentage": 67.5
- },
- "watchers": [
- {
- "watcher_uuid": "abc123-watcher-uuid-001",
- "total_signals": 20
- },
- {
- "watcher_uuid": "def456-watcher-uuid-002",
- "total_signals": 22
- }
- ]
+ "id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
+ "version": "v1.6.3-rc4",
+ "os" : {"name" : "ubuntu", "version": "22.04"},
+ "last_push": "2024-09-17T07:06:21",
+ "event_type": "security_engine_no_alerts",
+ "name": "MySecurityEngine"
}
}
```
@@ -1816,78 +2032,22 @@ If a notification fails to be sent through the webhook integration, the system w
```json
{
"$defs": {
- "AIUAAnomalyReport": {
- "description": "Key stats about the anomaly detection results.",
+ "OperatingSystem": {
"properties": {
- "is_attack_detected": {
- "description": "An attack has been detected",
- "title": "Is Attack Detected",
- "type": "boolean"
- },
- "unique_detections": {
- "description": "The number of unique detections",
- "title": "Unique Detections",
- "type": "integer"
- },
- "total_detections": {
- "description": "The total number of detections",
- "title": "Total Detections",
- "type": "integer"
- },
- "attack_length": {
- "description": "The length of the attack",
- "title": "Attack Length",
- "type": "integer"
- },
- "first_detection_date": {
- "description": "The first detection date",
- "format": "date-time",
- "title": "First Detection Date",
- "type": "string"
- },
- "last_detection_date": {
- "description": "The last detection date",
- "format": "date-time",
- "title": "Last Detection Date",
+ "name": {
+ "title": "Name",
"type": "string"
},
- "increased_percentage": {
- "description": "The increased percentage",
- "title": "Increased Percentage",
- "type": "number"
- }
- },
- "required": [
- "is_attack_detected",
- "unique_detections",
- "total_detections",
- "attack_length",
- "first_detection_date",
- "last_detection_date",
- "increased_percentage"
- ],
- "title": "AIUAAnomalyReport",
- "type": "object"
- },
- "AIUAWatcherReport": {
- "description": "Key stats about the anomaly detection results.",
- "properties": {
- "watcher_uuid": {
- "description": "The watcher UUID",
- "title": "Watcher Uuid",
+ "version": {
+ "title": "Version",
"type": "string"
- },
- "total_signals": {
- "description": "The total number of signals",
- "title": "Total Signals",
- "type": "integer"
}
},
"required": [
- "watcher_uuid",
- "total_signals"
+ "name",
+ "version"
],
- "title": "AIUAWatcherReport",
+ "title": "OperatingSystem",
"type": "object"
}
},
@@ -1937,75 +2097,87 @@ If a notification fails to be sent through the webhook integration, the system w
"title": "Event Timestamp",
"type": "string"
},
- "event_type": {
- "const": "am_i_under_attack",
- "default": "am_i_under_attack",
- "title": "Event Type",
+ "id": {
+ "description": "ID of the security engine",
+ "examples": [
+ "12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
+ ],
+ "title": "Id",
"type": "string"
},
- "start_date": {
- "description": "The attack start date",
- "format": "date-time",
- "title": "Start Date",
- "type": "string"
+ "version": {
+ "anyOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ],
+ "default": null,
+ "description": "Version of the security engine",
+ "examples": [
+ "v1.6.3-rc4"
+ ],
+ "title": "Version"
},
- "end_date": {
- "description": "The attack end date",
- "format": "date-time",
- "title": "End Date",
- "type": "string"
+ "os": {
+ "anyOf": [
+ {
+ "$ref": "#/$defs/OperatingSystem"
+ },
+ {
+ "type": "null"
+ }
+ ],
+ "default": null,
+ "description": "Operating System of the security engine",
+ "examples": [
+ "Linux"
+ ]
},
- "segments_with_anomaly": {
- "default": [],
- "description": "List of detection timestamps",
- "items": {
- "format": "date-time",
- "type": "string"
- },
- "title": "Segments With Anomaly",
- "type": "array"
+ "last_push": {
+ "description": "Last time the security engine pushed",
+ "examples": [
+ "2024-09-17T07:06:21"
+ ],
+ "title": "Last Push",
+ "type": "string"
},
- "total_signals": {
- "default": 0,
- "description": "The total number of signals",
- "title": "Total Signals",
- "type": "integer"
+ "event_type": {
+ "const": "security_engine_no_alerts",
+ "default": "security_engine_no_alerts",
+ "title": "Event Type",
+ "type": "string"
},
- "report_data": {
+ "name": {
"anyOf": [
{
- "$ref": "#/$defs/AIUAAnomalyReport"
+ "type": "string"
},
{
"type": "null"
}
],
- "default": null,
- "description": "Anomaly report data"
- },
- "watchers": {
- "default": [],
- "description": "Watcher reports",
- "items": {
- "$ref": "#/$defs/AIUAWatcherReport"
- },
- "title": "Watchers",
- "type": "array"
+ "description": "Name of the security engine",
+ "examples": [
+ "MySecurityEngine"
+ ],
+ "title": "Name"
}
},
"required": [
"event_id",
"organization_id",
"event_timestamp",
+ "id",
+ "version",
+ "os",
+ "last_push",
"event_type",
- "start_date",
- "end_date",
- "segments_with_anomaly",
- "total_signals",
- "report_data",
- "watchers"
+ "name"
],
- "title": "AmIUnderAttack",
+ "title": "SecurityEngineNoAlerts",
"type": "object"
}
},
@@ -2017,7 +2189,9 @@ If a notification fails to be sent through the webhook integration, the system w
```
-### `alert_triggered`
+#### `Security Engine Offline`
+
+A Security Engine has been offline for more than 48 hours.
```json
{
@@ -2029,42 +2203,12 @@ If a notification fails to be sent through the webhook integration, the system w
"event_id": "c6d468d4f1084ebca84165c33f97fbc4",
"organization_id": "12345678-1234-1234-1234-123456789012",
"event_timestamp": "2021-07-29T12:00:00+00:00",
- "event_type": "alert_triggered",
- "uuid": "alert-uuid-1234",
- "message": "Suspicious SSH behavior detected",
- "scenario": "ssh-brute-force",
- "behaviors": [
- {
- "name": "Brute Force",
- "description": "Multiple failed SSH login attempts detected in short time",
- "label": "SSH Brute Force"
- },
- {
- "name": "Port Scan",
- "description": "Scanning activity detected on multiple ports",
- "label": "Scan"
- }
- ],
- "start_at": "2025-05-26T18:00:00Z",
- "stop_at": "2025-05-26T18:10:00Z",
- "target": {
- "ip": "192.168.1.10",
- "id": "machine-01",
- "name": "internal-server-01"
- },
- "source": {
- "scope": "ip",
- "value": "203.0.113.25",
- "as_name": "ExampleISP",
- "as_number": 64512,
- "country": "US",
- "city": "San Francisco",
- "latitude": 37.7749,
- "longitude": -122.4194,
- "rdns": "25.113.0.203.example.com"
- },
- "is_manual_decision": false,
- "scenario_confidence": 85
+ "id": "12345677732339c3d12345164a8426sbnk6ll4iaazda1234",
+ "version": "v1.6.3-rc4",
+ "os" : {"name" : "ubuntu", "version": "22.04"},
+ "event_type": "security_engine_offline",
+ "last_login": "2024-09-17T07:06:21",
+ "name": "MySecurityEngine"
}
}
```
@@ -2073,104 +2217,80 @@ If a notification fails to be sent through the webhook integration, the system w
```json
{
"$defs": {
- "AlertBehavior": {
+ "OperatingSystem": {
"properties": {
"name": {
- "description": "The attack behavior name",
"title": "Name",
"type": "string"
},
- "description": {
- "description": "The attack behavior description",
- "title": "Description",
- "type": "string"
- },
- "label": {
- "description": "The attack behavior label",
- "title": "Label",
+ "version": {
+ "title": "Version",
"type": "string"
}
},
"required": [
"name",
- "description",
- "label"
+ "version"
],
- "title": "AlertBehavior",
+ "title": "OperatingSystem",
"type": "object"
- },
- "AlertTarget": {
- "properties": {
- "ip": {
- "description": "The IP targeted by the attack",
- "title": "Ip",
- "type": "string"
- },
- "id": {
- "description": "The id of the machine targeted by the attack",
- "title": "Id",
- "type": "string"
+ }
+ },
+ "type": "object",
+ "properties": {
+ "metadata": {
+ "type": "object",
+ "properties": {
+ "version": {
+ "type": "integer",
+ "const": 1
},
- "name": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
- ],
- "default": null,
- "description": "The name of the machine targeted by the attack",
- "title": "Name"
+ "issuer": {
+ "type": "string",
+ "const": "crowdsec.net"
}
},
"required": [
- "ip",
- "id"
- ],
- "title": "AlertTarget",
- "type": "object"
+ "version",
+ "issuer"
+ ]
},
- "AlertSource": {
+ "details": {
"properties": {
- "scope": {
- "description": "The scope of the value",
- "title": "Scope",
+ "event_id": {
+ "description": "ID of the source event",
+ "examples": [
+ "c6d468d4f1084ebca84165c33f97fbc4"
+ ],
+ "title": "Event Id",
"type": "string"
},
- "value": {
- "description": "The value of the source",
- "title": "Value",
+ "organization_id": {
+ "description": "Organization ID of the source event",
+ "examples": [
+ "12345678-1234-1234-1234-123456789012"
+ ],
+ "title": "Organization Id",
"type": "string"
},
- "as_name": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
+ "event_timestamp": {
+ "description": "Timestamp of the source event",
+ "examples": [
+ "2021-07-29T12:00:00+00:00"
],
- "default": null,
- "description": "The AS name of the source",
- "title": "As Name"
+ "format": "date-time",
+ "title": "Event Timestamp",
+ "type": "string"
},
- "as_number": {
- "anyOf": [
- {
- "type": "integer"
- },
- {
- "type": "null"
- }
+ "id": {
+ "description": "ID of the security engine",
+ "examples": [
+ "12345677732339c3d12345164a8426sbnk6ll4iaazda1234"
],
- "default": null,
- "description": "The AS number of the source",
- "title": "As Number"
+ "title": "Id",
+ "type": "string"
},
- "country": {
+ "version": {
"anyOf": [
{
"type": "string"
@@ -2180,49 +2300,38 @@ If a notification fails to be sent through the webhook integration, the system w
}
],
"default": null,
- "description": "The country of the source",
- "title": "Country"
- },
- "city": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
+ "description": "Version of the security engine",
+ "examples": [
+ "v1.6.3-rc4"
],
- "default": null,
- "description": "The city of the source",
- "title": "City"
+ "title": "Version"
},
- "latitude": {
+ "os": {
"anyOf": [
{
- "type": "number"
+ "$ref": "#/$defs/OperatingSystem"
},
{
"type": "null"
}
],
"default": null,
- "description": "The latitude of the source",
- "title": "Latitude"
+ "description": "Operating System of the security engine",
+ "examples": [
+ "Linux"
+ ]
},
- "longitude": {
- "anyOf": [
- {
- "type": "number"
- },
- {
- "type": "null"
- }
- ],
- "default": null,
- "description": "The longitude of the source",
- "title": "Longitude"
+ "last_login": {
+ "title": "Last Login",
+ "type": "string"
},
- "rdns": {
+ "event_type": {
+ "const": "security_engine_offline",
+ "default": "security_engine_offline",
+ "title": "Event Type",
+ "type": "string"
+ },
+ "name": {
"anyOf": [
{
"type": "string"
@@ -2231,19 +2340,68 @@ If a notification fails to be sent through the webhook integration, the system w
"type": "null"
}
],
- "default": null,
- "description": "The rDNS of the source",
- "title": "Rdns"
+ "description": "Name of the security engine",
+ "examples": [
+ "MySecurityEngine"
+ ],
+ "title": "Name"
}
},
"required": [
- "scope",
- "value"
+ "event_id",
+ "organization_id",
+ "event_timestamp",
+ "id",
+ "version",
+ "os",
+ "last_login",
+ "event_type",
+ "name"
],
- "title": "AlertSource",
+ "title": "SecurityEngineOffline",
"type": "object"
}
},
+ "required": [
+ "metadata",
+ "details"
+ ]
+}
+```
+
+
+
+### Admin
+
+
+
+#### `Payment Failed`
+
+A payment attempt for your enterprise subscription failed.
+
+This can happen for these scenarios:
+- Payment needs additional approval from your bank.
+- You have insufficient funds to complete the transaction.
+
+```json
+{
+ "metadata": {
+ "version": 1,
+ "issuer": "crowdsec.net"
+ },
+ "details": {
+ "event_id": "c6d468d4f1084ebca84165c33f97fbc4",
+ "organization_id": "12345678-1234-1234-1234-123456789012",
+ "event_timestamp": "2021-07-29T12:00:00+00:00",
+ "event_type": "payment_failed"
+ }
+}
+```
+
+JSON Schema
+```json
+{
+ "$defs": {},
"type": "object",
"properties": {
"metadata": {
@@ -2291,101 +2449,19 @@ If a notification fails to be sent through the webhook integration, the system w
"type": "string"
},
"event_type": {
- "const": "alert_triggered",
- "default": "alert_triggered",
+ "const": "payment_failed",
+ "default": "payment_failed",
"title": "Event Type",
"type": "string"
- },
- "uuid": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
- ],
- "default": null,
- "description": "The alert UUID",
- "title": "Uuid"
- },
- "message": {
- "anyOf": [
- {
- "type": "string"
- },
- {
- "type": "null"
- }
- ],
- "default": null,
- "description": "The alert message",
- "title": "Message"
- },
- "scenario": {
- "description": "The attack scenario",
- "title": "Scenario",
- "type": "string"
- },
- "behaviors": {
- "default": [],
- "description": "The attack behaviors",
- "items": {
- "$ref": "#/$defs/AlertBehavior"
- },
- "title": "Behaviors",
- "type": "array"
- },
- "start_at": {
- "description": "The attack start time",
- "format": "date-time",
- "title": "Start At",
- "type": "string"
- },
- "stop_at": {
- "description": "The attack stop time",
- "format": "date-time",
- "title": "Stop At",
- "type": "string"
- },
- "target": {
- "$ref": "#/$defs/AlertTarget",
- "description": "The target of the attack"
- },
- "source": {
- "$ref": "#/$defs/AlertSource",
- "description": "The source of the attack"
- },
- "is_manual_decision": {
- "default": false,
- "description": "Whether the decision was created manually",
- "title": "Is Manual Decision",
- "type": "boolean"
- },
- "scenario_confidence": {
- "default": 0,
- "description": "The confidence of the scenario",
- "title": "Scenario Confidence",
- "type": "integer"
}
},
"required": [
"event_id",
"organization_id",
"event_timestamp",
- "event_type",
- "uuid",
- "message",
- "scenario",
- "behaviors",
- "start_at",
- "stop_at",
- "target",
- "source",
- "is_manual_decision",
- "scenario_confidence"
+ "event_type"
],
- "title": "AlertTriggered",
+ "title": "PremiumPaymentFailed",
"type": "object"
}
},
@@ -2397,7 +2473,6 @@ If a notification fails to be sent through the webhook integration, the system w
```
-
## Troubleshooting
### Network error