Security Engine Overview

The CrowdSec Security Engine is an open-source, lightweight software that detects and blocks malicious actors from accessing your systems at various levels, using log and HTTP Requests analysis with threat patterns called scenarios.

CrowdSec is a modular security tool offering behavior-based detection, including AppSec rules, and optional components to block threats called Remediation Components

   

The crowd-sourced aspect allows the sharing of attacks they detected and blocked. Participants of this crowd-sourced threat intel receive, automatically via the security engine, a curated list of validated attackers (community blocklist) enhancing their real-time protection capabilities by taking preemptive actions against known threats.

Main Features

In addition to the core "detect and react" mechanism, CrowdSec is committed to several other key aspects:

• Easy Installation: Effortless out-of-the-box installation on all supported platforms.
• Simplified Daily Operations: You have access to our Web UI administration via CrowdSec's console or the powerful Command line tool cscli for effortless maintenance and keeping your detection mechanisms up-to-date.
• Reproducibility: The Security Engine can analyze not only live logs but also cold logs, making it easier to detect potential false triggers, conduct forensic analysis, or generate reports.
• Versatile: The Security Engine can analyze system logs and HTTP Requests to exhaustively protect your perimeter.
• Observability: Providing valuable insights into the system's activity:
  • Users can view/manage alerts from the (Console).
  • Operations personnel have access to detailed Prometheus metrics (Prometheus).
  • Administrators can utilize a user-friendly command-line interface tool (cscli).
• API-Centric: All components communicate via an HTTP API, facilitating multi-machine setups.

Architecture

Under the hood, the Security Engine has various components:

• The Log Processor is in charge of detection: it analyzes logs from various data sources or HTTP requests from web servers.
• The Appsec feature is part of the Log Processor and filters HTTP Requests from the compatible web servers.
• The Local API acts as a middle man:
  • Between the Log Processors and the Remediation Components which are in charge of enforcing decisions.
  • And with the Central API to share alerts and receive blocklists.
• The Remediation Components - also known as bouncers - block malicious IPs at your chosen level—whether via IpTables, firewalls, web servers, or reverse proxies. See the full list on our CrowdSec Hub.

Deployment options

This architecture allows for both simple/standalone setups, or more distributed ones including as illustrated below:

• One or more machines? Run crowdsec on each (alongside with a remediation component)
• Already have a log pit (such as rsyslog or loki)? Run crowdsec next to it, not on the production workloads
• Running Kubernetes? Have a look at our helm chart
• Running containers? The docker data source might be what you need
• Just looking for a WAF? Look at our quickstart

Distributed architecture example:

---

More ways to learn

Watch a short series of videos on how to install CrowdSec and protect your infrastructure

Learn with CrowdSec Academy

---