QRadar App which allows users to leverage CrowdSec's Smoke CTI to get information about IP as seen by CrowdSec's network. This is enabled via a right click on IP GUI action. The intelligence includes:
- Types of attacks the IP has been observed performing.
- Background Noise Score. This can be used to know whether the particular IP is only targeting your infrastructure or is targeting others too.
- Aggressivity which quantifies frequency of attacks.
- Other fields like Geolocation details, AS details, sighting details etc
We need to provide the App, CrowdSec CTI API Key. You can find the instructions to obtain it here
Now navigate to the CrowdSec App in QRadar's Admin page. Click on CrowdSec App Settings Icon.
A pop-up will appear. Enter the API Key and click on Submit.
The App is now configured !
Navigate to Log Activity pane in QRadar. Right click on an IP either in Source IP or Destination IP column. Hover over "More Options". You will see a new option "CrowdSec IP Lookup". Click on it.
This will open a popup with the information about the right clicked IP found in CrowdSec's Smoke Dataset.
You can click on the "Show" button to see the RAW JSON response from the API.
You can find our latest taxonomy about attack details, classifications, scores etc in our official docs