Guide: Proactive Monitoring
Scenario
Rather than reacting to alerts one at a time, you want to proactively monitor the threat landscape for vulnerabilities relevant to your technology stack. This guide shows how to set up ongoing monitoring using the Live Exploit Tracker.
Step 1: Identify Your Technology Stack
Start by identifying the vendors, products, and technology categories you care about. Common examples:
| If you run... | Monitor these tags/vendors |
|---|---|
| WordPress sites | Tag: wordpress, cms |
| Microsoft infrastructure | Vendor: Microsoft, Tags: enterprise_software |
| Network appliances | Vendors: F5, Cisco, Palo Alto, Fortinet |
| Java applications | Tag: web_application, specific product names |
Step 2: Explore Coverage
Use the lookup endpoints to see what CrowdSec tracks for your stack.
Via Web Interface
Browse the CVE and fingerprint rule lists, filtering by tag or searching by product name.
Via API
# What WordPress vulnerabilities does CrowdSec track?
curl -X 'GET' \
'https://admin.api.crowdsec.net/v1/tags/wordpress' \
-H 'accept: application/json' \
-H 'x-api-key: ${KEY}'
# What Microsoft products are covered?
curl -X 'GET' \
'https://admin.api.crowdsec.net/v1/vendors/Microsoft' \
-H 'accept: application/json' \
-H 'x-api-key: ${KEY}'
# What fingerprint rules exist for Exchange?
curl -X 'GET' \
'https://admin.api.crowdsec.net/v1/fingerprints?page=1&size=50' \
-H 'accept: application/json' \
-H 'x-api-key: ${KEY}'
Step 3: Subscribe to Your Vendors
The simplest way to get broad, ongoing coverage is to subscribe your integration to the vendors in your technology stack. A vendor subscription automatically covers all current and future CVEs and reconnaissance rules for that vendor's products — when a new threat is added, your blocklist is updated without any action on your part.
- Create a firewall integration (if you don't have one) — see Integrations & Blocklists
- Subscribe the integration to each vendor you rely on
# Subscribe to all Microsoft threats
curl -X 'POST' \
'https://admin.api.crowdsec.net/v1/vendors/Microsoft/integrations' \
-H 'accept: application/json' \
-H 'x-api-key: ${KEY}' \
-H 'Content-Type: application/json' \
-d '{"name": "production_firewall"}'
# Subscribe to all Citrix threats
curl -X 'POST' \
'https://admin.api.crowdsec.net/v1/vendors/Citrix/integrations' \
-H 'accept: application/json' \
-H 'x-api-key: ${KEY}' \
-H 'Content-Type: application/json' \
-d '{"name": "production_firewall"}'
For threats outside your subscribed vendors, you can also subscribe to individual fingerprint rules or CVEs:
# Subscribe to a specific reconnaissance rule
curl -X 'POST' \
'https://admin.api.crowdsec.net/v1/fingerprints/microsoft-exchange/integrations' \
-H 'accept: application/json' \
-H 'x-api-key: ${KEY}' \
-H 'Content-Type: application/json' \
-d '{"name": "production_firewall"}'
Step 4: Monitor New and Trending CVEs
If you've subscribed to your vendors (Step 3), new CVEs are automatically covered in your blocklist. However, you'll still want to monitor the threat landscape for situational awareness and to inform patching priorities:
# Get the latest detection rules, sorted by release date
curl -X 'GET' \
'https://admin.api.crowdsec.net/v1/cves?sort_by=rule_release_date&sort_order=desc&size=20' \
-H 'accept: application/json' \
-H 'x-api-key: ${KEY}'
# Get the most actively exploited CVEs right now
curl -X 'GET' \
'https://admin.api.crowdsec.net/v1/cves?sort_by=trending&sort_order=desc&size=20' \
-H 'accept: application/json' \
-H 'x-api-key: ${KEY}'
For each new CVE that affects your products:
- Check the CrowdSec Score and Exploitation Phase
- Read the CrowdSec Analysis for exploitation context
- If the CVE is from a vendor you've subscribed to, your blocklist is already protecting you. If not, subscribe the integration to the CVE directly.
- Open a patching ticket with the appropriate priority
Step 5: Build a Monitoring Script
Here's a template for a daily check that surfaces new and trending threats for your stack:
import os
from crowdsec_service_api import Cves, ApiKeyAuth
KEY = os.getenv("CROWDSEC_SERVICE_API_KEY")
auth = ApiKeyAuth(api_key=KEY)
cves_service = Cves(auth=auth)
# Define your technology stack tags
MY_TAGS = {"wordpress", "cms", "enterprise_software"}
# Get trending CVEs
response = cves_service.get_cves(page=1, size=50)
alerts = []
for cve in response.items:
# Filter for CVEs relevant to your stack
cve_tags = set(getattr(cve, 'tags', []) or [])
if not cve_tags.intersection(MY_TAGS):
continue
# Flag anything with a meaningful CrowdSec Score
if cve.crowdsec_score >= 4:
alerts.append({
"cve": cve.name,
"title": cve.title,
"score": cve.crowdsec_score,
"phase": cve.exploitation_phase.label,
"ips": cve.nb_ips,
})
# Output alerts (integrate with your notification system)
for alert in sorted(alerts, key=lambda x: x["score"], reverse=True):
print(f"[Score {alert['score']}] {alert['cve']}: {alert['title']}")
print(f" Phase: {alert['phase']}, Active IPs: {alert['ips']}")
Step 6: Integrate with Your Security Stack
The Live Exploit Tracker API can feed data into:
- SIEM: Enrich alerts with CrowdSec Scores and exploitation context. When your SIEM fires an alert for a CVE, automatically look up the CrowdSec intelligence to assign priority.
- SOAR: Build playbooks that react to new high-severity CVEs. If you're using vendor subscriptions, the blocklist is already covered — your playbook can focus on escalation, ticket creation, and patching workflows.
- Vulnerability Management: Correlate your vulnerability scanner findings with real-world exploitation data to reorder your patch queue.
- Reporting Dashboards: Pull scores and phase data into your security dashboard to give leadership a real-time view of the threat landscape.
