Skip to main content
Version: v1.4.0

Getting Started

Getting an API Key#

When logged on the console, you can create an API Key from the "CTI API" section :

create api key

Accessing the API#

You can query the API about a given IP from the command line:

curl -H "x-api-key: YOUR_API_KEY" https://cti.api.crowdsec.net/v2/smoke/185.7.214.104 | jq .

And the default output looks something like this:

{  "ip_range_score": 5,  "ip": "185.7.214.104",  "ip_range": "185.7.214.0/24",  "as_name": "Chang Way Technologies Co. Limited",  "as_num": 57523,  "location": {    "country": "RU",    "city": null,    "latitude": 55.7386,    "longitude": 37.6068  },  "reverse_dns": null,  "behaviors": [    {      "name": "http:exploit",      "label": "HTTP Exploit",      "description": "IP has been reported for attempting to exploit a vulnerability in a web application."    },    {      "name": "http:scan",      "label": "HTTP Scan",      "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."    }  ],  "history": {    "first_seen": "2022-06-14T21:30:00+00:00",    "last_seen": "2022-07-22T11:45:00+00:00",    "full_age": 39,    "days_age": 38  },  "classifications": {    "false_positives": [],    "classifications": [      {        "name": "community-blocklist",        "label": "CrowdSec Community Blocklist",        "description": "IP belong to the CrowdSec Community Blocklist"      }    ]  },  "attack_details": [    {      "name": "crowdsecurity/http-cve-2021-41773",      "label": "Apache CVE-2021-41773",      "description": "Detect Apache CVE-2021-41773 exploitation attemtps",      "references": [        "https://nvd.nist.gov/vuln/detail/CVE-2021-41773"      ]    },    {      "name": "crowdsecurity/thinkphp-cve-2018-20062",      "label": "ThinkPHP CVE-2018-20062",      "description": "Detect ThinkPHP CVE-2018-20062 exploitation attemps",      "references": []    },    {      "name": "crowdsecurity/modsecurity",      "label": "ModSecurity CRS",      "description": "Detect web exploitation via modsecurity",      "references": []    },    {      "name": "crowdsecurity/http-probing",      "label": "HTTP Scanner",      "description": "Detect site scanning/probing from a single ip",      "references": []    }  ],  "target_countries": {    "FR": 35,    "US": 19,    "DE": 18,    "NL": 6,    "GB": 5,    "CA": 4,    "AU": 2,    "RU": 2,    "SE": 2,    "CH": 1  },  "scores": {    "overall": {      "aggressiveness": 5,      "threat": 5,      "trust": 5,      "anomaly": 1,      "total": 5    },    "last_day": {      "aggressiveness": 5,      "threat": 5,      "trust": 5,      "anomaly": 1,      "total": 5    },    "last_week": {      "aggressiveness": 5,      "threat": 5,      "trust": 5,      "anomaly": 1,      "total": 5    },    "last_month": {      "aggressiveness": 5,      "threat": 5,      "trust": 5,      "anomaly": 1,      "total": 5    }  },  "references": []}