Alerts Analysis

The Alerts page provides a powerful interface for searching, filtering, and analyzing security alerts generated by CrowdSec. This is your primary tool for investigating potential attacks and understanding threat patterns.

Filtering Alerts

You can filter alerts using a wide range of criteria to narrow down your investigation.

Available Filters

• Alert ID: Search for a specific alert by its unique ID.
• Time Range:
  • Since: e.g., 4h (4 hours), 30d (30 days).
  • Until: e.g., 1h (1 hour ago).
• Source:
  • IP Address: Specific IP (e.g., 1.2.3.4).
  • IP Range: CIDR notation (e.g., 1.2.3.0/24).
• Scope: Filter by scope type (ip, range, etc.).
• Value: Match a specific value (e.g., a specific User-Agent or path).
• Scenario: Filter by the scenario name (e.g., crowdsecurity/ssh-bf).
• Decision Type: ban, captcha, throttle.
• Origin: Source of the alert (cscli, crowdsec, CAPI, etc.).
• Include CAPI: Checkbox to include alerts received from the CrowdSec Central API (community signals).

Viewing Results

The results section displays a list of alerts matching your criteria.

• Summary: Shows the scenario name, target value, and decision type.
• Details: Click on an alert to expand it and view:
  • Events Count: How many events triggered this alert.
  • Timeline: Start and Stop timestamps.
  • Capacity & Leak Speed: Details about the bucket that triggered the overflow.
  • Decisions: The specific decisions (bans, etc.) resulting from this alert.

Exporting Data

You can export the current filtered list of alerts to a CSV file for external analysis or reporting.

1. Apply any desired filters.
2. Click the Export CSV button in the top right of the results card.
3. The file will automatically download with a timestamped filename.