Introduction

What is the Live Exploit Tracker

The Live Exploit Tracker allows you to interact with CrowdSec's Threat Intelligence data, specifically focusing on CVEs and the IPs that exploit them. This enables you to prioritize vulnerabilities based on real-world exploitation data and mitigate threats by integrating IOCs with your existing security infrastructure: firewalls, SIEM, SOAR etc.

Live Exploit Tracker can be used via a web interface, or via the RESTful API.

What to expect

The Exploit Tracker API and Web applications allows you to:

• Get information related to specific CVE(s) as observed by the CrowdSec Network, helping you to prioritize.
• Get CTI data and IPs actively exploiting a specific CVE(s) for mitigation or threat hunting.
• Create and maintain blocklists of IPs exploiting specific vulnerabilities that can be easily integrated into most firewalls.

Prioritize

For a CVE, get:

• General CVE information: Name, Title, Affected Components, CWEs, References, CVSS score, Presence of known public exploit etc.
• Number of IPs actively exploiting the vulnerability.
• CrowdSec Analysis: A human readable text covering the most important information about the vulnerability:
  • Technical description of the vulnerability
  • Relevant information about payload such as targeted URI
  • Description of exploitation patterns, from targeted to large-scale opportunistic attacks
• CrowdSec Scores:
  • CrowdSec Score: A one-size-fits-all score that indicates how a SOC could prioritize a security alert for a given CVE. Generally CVEs where CrowdSec observes strong increases in targeted attacks have a higher score than vulnerabilities which are mainly used by automated mass-scanners in non-sophisticated global campaigns.
  • Opportunity Score: A score from 0 to 5 indicating how opportunistic the attackers for a given CVE operate. A score of 0 is given to CVEs where attackers essentially target IPs at random in an automated fashion while a score of 5 is given to CVEs which see precisely targeted exploitation making alerts much more indicative of a dangerous attack campaign targeting your organization.
  • Momentum Score: A score from 0 to 5 indicating the how current exploitation volume compares to historical averages for a given CVE. CVEs where we observe below average attack volume (decreasing trend) are given a low score, while CVEs where we see rapidly growing attack volume (increasing trend) are given a high score.
  • Exploitation Status: The current exploitation status of the vulnerability, from "early exploitation" to "background noise".
• Timeline information:
  • First and Last exploitation observed
  • CVE Publication date, Detection rule Publication date, CISA KEV addition etc.
  • List of general events related to the CVE and its exploitation status.

Mitigate

From a CVE, get related IPs for different usecases:

CTI Information

• List of IPs exploiting the vulnerability over a given period, with their associated information, from reputation to known classifications. Allows to differentiate legitimate scanning actors (ie. shodan etc.), well-known attackers and newly deployed infrastructures.

Blocklists

• Create integrations allowing blocklist consumption from various firewall vendors.
• Subscribe integrations to CVEs, effectively blocking suspicious and malicious IPs known to actively exploit the vulnerability.

Web interface

Prerequisites

To access the Exploit Tracker API, you need an API key. Please contact the CrowdSec team to obtain your API key if you haven't already.

Access

Connect to https://let-demo.dev.crowdsec.net/ and put your provided API key in the top right field.

API

Prerequisites

To access the Exploit Tracker API, you need an API key. Please contact the CrowdSec team to obtain your API key if you haven't already.

You can use our python SDK: pip install crowdsec-tracker-api

Authentication

To interact with the API, you need to configure the authentication using your API key.

import os
from crowdsec_tracker_api import ApiKeyAuth, Server

KEY = os.getenv("KEY")

# Configure Authentication
auth = ApiKeyAuth(api_key=KEY)

# Define the Server URL
base_url = Server.production_server.value

Quick Example: Get CVE Information

Here is a simple example of how to retrieve information about a specific CVE using the SDK.

cURL

curl -i -H "x-api-key: ${KEY}" -X GET -H "Content-Type: application/json" \
https://admin.api.crowdsec.net/v1/cves/CVE-2024-25600

Python

import os
from crowdsec_tracker_api import Cves, ApiKeyAuth, Server
from httpx import HTTPStatusError

KEY = os.getenv("KEY")

# Configure Authentication
auth = ApiKeyAuth(api_key=KEY)

# Initialize the Cves service
cves_service = Cves(auth=auth)

# Get CVE Details
cve_id = "CVE-2024-25600"
try:
    cve_details = cves_service.get_cve(cve_id)
    print(f"CVE: {cve_details.model_dump_json(indent=2)}")
except HTTPStatusError as e:
    print(f"An error occurred: {e.response.status_code} - {e.response.text}")

answer on success

{
  "cve_id": "CVE-2024-25600",
  "description": "Description of the CVE...",
  "severity": "High",
  "exploit_count": 42,
  "first_seen": "2024-01-15T12:34:56Z",
  "last_seen": "2024-06-10T08:22:33Z"
  ... other fields ...
}

Next Steps

Now you can:

• Explore the API Reference for detailed information on all available endpoints.
• Learn how to use Prioritize CVEs based on real-world exploitation
• Discover how to Mitigate Threats by integrating with your security appliances.
• Explore the SDK documentation on GitHub