{"id":20317902,"url":"https://github.com/crowdsecurity/crowdsec-splunk-app","last_synced_at":"2026-01-08T17:21:05.709Z","repository":{"id":144629907,"uuid":"615305880","full_name":"crowdsecurity/crowdsec-splunk-app","owner":"crowdsecurity","description":null,"archived":false,"fork":false,"pushed_at":"2023-04-03T08:40:38.000Z","size":289,"stargazers_count":0,"open_issues_count":1,"forks_count":2,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-03-01T16:39:16.980Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/crowdsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-17T11:59:48.000Z","updated_at":"2023-03-17T12:10:48.000Z","dependencies_parsed_at":"2024-04-23T12:04:39.752Z","dependency_job_id":null,"html_url":"https://github.com/crowdsecurity/crowdsec-splunk-app","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-splunk-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-splunk-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-splunk-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crowdsecurity%2Fcrowdsec-splunk-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/crowdsecurity","download_url":"https://codeload.github.com/crowdsecurity/crowdsec-splunk-app/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241818899,"owners_count":20025212,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T18:37:05.662Z","updated_at":"2026-01-08T17:21:05.705Z","avatar_url":"https://github.com/crowdsecurity.png","language":"Python","funding_links":[],"categories":["SIEM \u0026 Security Operations"],"sub_categories":["Other Bouncers"],"readme":"![Downloads](https://img.shields.io/endpoint?url=https%3A%2F%2Fsplunkbasebadge.livehybrid.com%2Fv1%2Fdownloads%2F6800)\n[![App Inspect](https://github.com/crowdsecurity/crowdsec-splunk-app/actions/workflows/appinspect.yml/badge.svg)](https://github.com/crowdsecurity/crowdsec-splunk-app/actions/workflows/appinspect.yml)\n![Cloud Compatible](https://img.shields.io/endpoint?logo=icloud\u0026url=https%3A%2F%2Fsplunkbasebadge.livehybrid.com%2Fv1%2Fsplunkcloud%2F6800)\n![Compatibility](https://img.shields.io/endpoint?url=https%3A%2F%2Fsplunkbasebadge.livehybrid.com%2Fv1%2Flatest_compat%2F6800)\n## Overview\nThe CrowdSec Splunk app leverages the CrowdSec's CTI API's smoke endpoint which enables users to query an IP and receive enrichment\n\n\n## Table of Contents\n- [Overview](#overview)\n- [Example Usage](#example-usage)\n- [Results](#results)\n- [Profiles](#profiles)\n- [Local Dump](#local-dump)\n- [Configuration file](#configuration-file)\n  - [`api_key`](#api_key)\n  - [`batching`](#batching)\n  - [`batch_size`](#batch_size)\n  - [`local_dump`](#local_dump)\n\n\n## Example Usage\n\nThe following command is used to run an IP check through the CrowdSec's CTI API's smoke endpoint. On the Homepage of Splunk Web Interface, select `Search \u0026 Reporting` and use the following command.\n\n```\n| makeresults | eval ip=\"\u003cdest_ip\u003e\" | cssmoke ipfield=\"ip\"\n```\n\n- `cssmoke`: \n    - Custom command driving the core functionality of the application.\n\n- `ipfield`: \n    - It denotes the field name where the IP address is stored in the index.\n\n- `profile`:\n    Optional preset that selects a predefined set of CrowdSec output fields (it is possible to specify mutliple profiles).\n\n## Results\nOn the event of clicking the `Search` button, users will be able to view a brief overview of various fields associated with the input IP address. \n\nThis includes but not limited to location, behaviors, classifications, attack details – name, label, description, references followed by scores, threats, etc.\n\n## Profiles\n\nProfiles are optional presets that automatically select a predefined set of CrowdSec output fields, so results stay consistent and you don’t have to manually maintain long `ipfield=` lists.\n\n- `base`: returns `ip`, `reputation`, `confidence`, `as_num`, `as_name`, `location`, `classifications`.\n\n- `anonymous`: (aliases: `vpn` `proxy`): returns `ip`, `reputation`, `proxy_or_vpn`, `classifications`.\n\n- `iprange`: returns `ip`, `ip_range`, `ip_range_24`, `ip_range_24_score`.\n\nYou can provide multiple profile in the same command:\n\n```\n| cssmoke ipfield=\"ip\" profile=\"anonymous,iprange\"\n```\n\nThe output will contains the columns for the `anonymous` and the `iprange` profiles.\n\n## Local Dump\n\nThe first time you setup the local dump feature, you need to download manually the CrowdSec lookup databases (they will be updated every 24h automatically after that):\n\n```\n| cssmokedownload\n```\n\nAfter that, you can look up IPs using the local databases.\n\n**Note:** Check the `query_time` and `query_mode` fields in the results to confirm whether lookups are done via `local_dump` or the live API.\n\n## Configuration file\n\nYou can configure the CrowdSec app by uploading a JSON configuration file:\n\n```\n{\n    \"api_key\": \"YOUR_API_KEY_HERE\",\n    \"batching\": true|false,\n    \"batch_size\": 20,\n    \"local_dump\": true|false\n}\n```\n\n### `api_key`\n\nCrowdSec CTI API key.\n\n**Warning:** Local dump and live CTI API lookups are mutually exclusive (enable only one mode).\n\n### `batching`\n\nEnable batching for live CTI API lookups.\n\n### `batch_size`\n\nBatch size used when `batching` is enabled.\n\n### `local_dump`\n\nEnable local dump mode (use the downloaded lookup databases).\n\nLookup databases are download automatically every 24h.\n\n**Warning:** Local dump requires a CTI API key that has access to the dump endpoint.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrowdsecurity%2Fcrowdsec-splunk-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcrowdsecurity%2Fcrowdsec-splunk-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrowdsecurity%2Fcrowdsec-splunk-app/lists"}