Skip to main content
Version: v1.2

Decisions management


Please see your local sudo cscli help decisions for up-to-date documentation.

List active decisions#

sudo cscli decisions list
sudo cscli decisions list+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+|   ID   |  SOURCE  |   SCOPE:VALUE    |               REASON               | ACTION | COUNTRY |               AS               | EVENTS |   EXPIRATION    | ALERT ID |+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+| 276009 | crowdsec |   | crowdsecurity/telnet-bf            | ban    | CN      |  xxxxxxxx xxxxxxx Advertising  |      7 | 2m53.949221341s |    33459 ||        |          |                  |                                    |        |         | Co.,Ltd.                       |        |                 |          || 276008 | crowdsec | | crowdsecurity/smb-bf               | ban    | BR      |  xxxxxxxxxx xxxxxxxxxxxxxxxx   |      6 | 1m48.728998974s |    33458 ||        |          |                  |                                    |        |         | LTDA                           |        |                 |          |+--------+----------+------------------+------------------------------------+--------+---------+--------------------------------+--------+-----------------+----------+
  • SOURCE : the source of the decisions:
    • crowdsec : decision from crowdsec agent
    • cscli : decision from cscli (manual decision)
    • CAPI : decision from crowdsec API
  • SCOPE:VALUE is the target of the decisions :
    • "scope" : the scope of the decisions (ip, range, user ...)
    • "value" : the value to apply on the decisions (ip_addr, ip_range, username ...)
  • REASON is the scenario that was triggered (or human-supplied reason)
  • ACTION is the type of the decision (ban, captcha ...)
  • COUNTRY and AS are provided by GeoIP enrichment if present
  • EVENTS number of event that triggered this decison
  • EXPIRATION is the time left on remediation
  • ALERT ID is the ID of the corresponding alert

Check command usage for additional filtering and output control flags.

Add a decision#

Ban an IP

sudo cscli decisions add -i
  • default duration: 4h
  • default type : ban

Add a decision (ban) on IP for 24 hours, with reason 'web bruteforce'

sudo cscli decisions add --ip --duration 24h --reason "web bruteforce"

Add a decision (ban) on range for 4 hours, with reason 'web bruteforce'

sudo cscli decisions add --range --reason "web bruteforce"

Add a decision (captcha) on ip for 4hours (default duration), with reason 'web bruteforce'

sudo cscli decisions add --ip --reason "web bruteforce" --type captcha

Delete a decision#

delete the decision on IP

sudo cscli decisions delete --ip

delete the decision on range

sudo cscli decisions delete --range

Please note that cscli decisions list will show you only the latest alert per given ip/scope. However, several decisions targeting the same IP can exist. If you want to be sure to clear all decisions for a given ip/scope, use cscli decisions delete -i x.x.x.x

delete a decision by ID

sudo cscli  decisions delete --id 74

Delete all existing bans#

Flush all the existing bans

sudo cscli decisions delete --all

This will as well remove any existing ban