almost finished

Author: jdv

crowdsec-docs/sidebarsUnversioned.ts

@@ -342,7 +342,7 @@ const sidebarsUnversionedConfig: SidebarConfig = {
 				},
 				{
 					type: "category",
-					label: "API",
+					label: "API Keys",
 					link: {
 						type: "doc",
 						id: "console/ip_reputation/api_keys",
@@ -366,7 +366,7 @@ const sidebarsUnversionedConfig: SidebarConfig = {
 						},
 						{
 							type: "link",
-							label: "Technical Documentation",
+							label: "Enrichment Fields Ref",
 							href: "/u/cti_api/taxonomy/intro",
 							customProps: {
 								tag: "otherSection",

crowdsec-docs/static/img/ipdex_demo.png

@@ -47,240 +47,12 @@ Only Premium orgizations can buy keys with higher quotas. See [Premium API Keys]
 />
   </div>
 </div>
-## Accessing the API
+## Using the API
 
-### cURL
+CrowdSec provides [ready-made integrations](/u/cti_api/api_integration/integration_intro) for the most common security platforms — SIEM, SOAR, TIP, and investigation tools. If your platform is listed, that's the fastest way to get started.
 
-You can test your newly created API key by running the following command in your terminal:
+If you prefer to use your own scripts, call the API directly from the command line, or build custom playbooks, the API is a straightforward REST interface authenticated with your key.
 
-:::info
-Replease `$API_KEY` with your actual API key.
-:::
-
-```shell
-curl -H "x-api-key: $API_KEY" https://cti.api.crowdsec.net/v2/smoke/185.7.214.104 | jq .
-```
-
-And the default output looks something like this:
-
-<details>
-
-<summary>Command Output</summary>
-
-```json
-{
-  "ip_range_score": 5,
-  "ip": "[CENSORED]",
-  "ip_range": "[CENSORED]",
-  "as_name": "[CENSORED]",
-  "as_num": 0,
-  "location": {
-    "country": "FR",
-    "city": "",
-    "latitude": 0.0,
-    "longitude": 0.0
-  },
-  "reverse_dns": "[CENSORED]",
-  "behaviors": [
-    {
-      "name": "http:scan",
-      "label": "HTTP Scan",
-      "description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."
-    },
-    {
-      "name": "ssh:bruteforce",
-      "label": "SSH Bruteforce",
-      "description": "IP has been reported for performing brute force on ssh services."
-    },
-    {
-      "name": "http:exploit",
-      "label": "HTTP Exploit",
-      "description": "IP has been reported for attempting to exploit a vulnerability in a web application."
-    },
-    {
-      "name": "generic:exploit",
-      "label": "Exploitation attempt",
-      "description": "IP has been reported trying to exploit known vulnerability/CVE on unspecified protocols."
-    }
-  ],
-  "history": {
-    "first_seen": "2022-05-28T16:00:00+00:00",
-    "last_seen": "2023-10-15T05:45:00+00:00",
-    "full_age": 507,
-    "days_age": 505
-  },
-  "classifications": {
-    "false_positives": [],
-    "classifications": []
-  },
-  "attack_details": [
-    {
-      "name": "crowdsecurity/http-probing",
-      "label": "HTTP Probing",
-      "description": "Detect site scanning/probing from a single ip",
-      "references": []
-    },
-    {
-      "name": "crowdsecurity/ssh-bf",
-      "label": "SSH Bruteforce",
-      "description": "Detect ssh bruteforce",
-      "references": []
-    },
-    {
-      "name": "crowdsecurity/ssh-slow-bf",
-      "label": "SSH Bruteforce",
-      "description": "Detect slow ssh bruteforce",
-      "references": []
-    },
-    {
-      "name": "crowdsecurity/http-bad-user-agent",
-      "label": "detection of bad user-agents",
-      "description": "Detect bad user-agents",
-      "references": []
-    },
-    {
-      "name": "crowdsecurity/suricata-major-severity",
-      "label": "Suricata Severity 1 Event",
-      "description": "Detect exploit attempts via emerging threat rules",
-      "references": []
-    },
-    {
-      "name": "crowdsecurity/modsecurity",
-      "label": "Modsecurity Alert",
-      "description": "Web exploitation via modsecurity",
-      "references": []
-    }
-  ],
-  "target_countries": {
-    "AT": 0,
-    "AU": 2,
-    "BR": 0,
-    "CA": 4,
-    "CH": 0,
-    "CN": 0,
-    "DE": 79,
-    "DK": 0,
-    "ES": 0,
-    "FI": 12
-  },
-  "background_noise_score": 10,
-  "mitre_techniques": [
-    {
-      "name": "T1595",
-      "label": "Active Scanning",
-      "description": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190))."
-    },
-    {
-      "name": "T1110",
-      "label": "Brute Force",
-      "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access."
-    },
-    {
-      "name": "T1190",
-      "label": "Exploit Public-Facing Application",
-      "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)"
-    }
-  ],
-  "cves": [],
-  "scores": {
-    "overall": {
-      "aggressiveness": 5,
-      "threat": 2,
-      "trust": 4,
-      "anomaly": 0,
-      "total": 4
-    },
-    "last_day": {
-      "aggressiveness": 0,
-      "threat": 0,
-      "trust": 0,
-      "anomaly": 0,
-      "total": 0
-    },
-    "last_week": {
-      "aggressiveness": 5,
-      "threat": 2,
-      "trust": 4,
-      "anomaly": 0,
-      "total": 4
-    },
-    "last_month": {
-      "aggressiveness": 5,
-      "threat": 2,
-      "trust": 4,
-      "anomaly": 0,
-      "total": 4
-    }
-  },
-  "references": []
-}
-
-```
-
-</details>
-
-### ipdex
-
-You can interact with the CrowdSec CTI API with the [`ipdex`](https://github.com/crowdsecurity/ipdex) tool.
-
-First, initiliaze the tool with your API key:
-
-```console
-ipdex init
-```
-
-And then analyze an IP or a file of IPs:
-
-```console
-ipdex 193.105.134.155
-```
-
-<details>
-
-<summary>Command Output</summary>
-
-```console
-IP Information
-
-IP                       	193.105.134.155
-Reputation               	malicious
-Confidence               	high
-Country                  	SE 🇸🇪
-Autonomous System        	w1n ltd
-Reverse DNS              	N/A
-Range                    	193.105.134.0/24
-First Seen               	2023-06-23T01:15:00
-Last Seen                	2025-05-11T11:15:00
-Console URL              	https://app.crowdsec.net/cti/193.105.134.155
-Last Local Refresh       	2025-05-12 16:44:21
-
-Threat Information
-
-Behaviors
-                         	HTTP Scan
-                         	HTTP Bruteforce
-                         	SSH Bruteforce
-                         	... and 2 more
-
-
-Classifications
-                         	Spoofed User Agent
-                         	TOR exit node
-                         	VPN or Proxy
-                         	... and 1 more
-
-
-Blocklists
-                         	Extended AI-Detected VPN/Proxy
-                         	CrowdSec Intelligence Blocklist
-
-Target countries
-     🇺🇸 US             		29%
-     🇩🇪 DE             		15%
-     🇵🇱 PL             		12%
-                         	... and 2 more
-```
-</details>
 
 <AcademyPromo
   image="crowdsec_threat_intelligence.svg"

crowdsec-docs/unversioned/console/ip_reputation/api_keys.mdx

@@ -4,7 +4,15 @@ title: Premium CTI API Keys
 sidebar_position: 2
 ---
 
-// Premium plan come with increased quotas on its free CTI KEY
-// also allow oyu to buy bigger quotas CTI API Keys if needed
+A [Premium Plan](/u/console/premium_upgrade) unlocks two benefits for CTI API access:
 
-...
+- **Increased free quota** — the complimentary CTI key included with every account has a higher weekly allowance on a Premium plan than on the free Community plan.
+- **Purchasable high-quota keys** — Premium organizations can buy additional CTI API keys with larger monthly quotas (5K, 25K, or 100K queries/month) to support production integrations, automated enrichment pipelines, and high-volume use cases.
+
+For current quota tiers and pricing, go to **Settings → CTI API Keys** in the Console and click **+ New Key** — all available options and their costs are shown there.
+
+:::warning CTI API Keys and trials
+- Purchasing a CTI API Key does **not** grant access to a Premium Plan trial.
+- Purchasing a CTI API Key while a trial is active will **immediately end the trial**.
+- Cancelled CTI API Keys are **non-refundable** and will not be prorated — the full price remains due regardless of when the cancellation occurs.
+:::

crowdsec-docs/unversioned/console/ip_reputation/api_keys_premium.mdx

@@ -3,6 +3,16 @@ id: integration_intro
 title: Integrations
 ---
 
+CrowdSec has developed native integrations for the most common security platforms so you can enrich your workflows with IP reputation data without writing any code. If your platform isn't listed, the API is a standard REST interface — you can query it directly with cURL, write your own scripts, or build custom playbooks in any SIEM, SOAR, or TIP that supports HTTP enrichment:
+
+```shell
+curl -H "x-api-key: $API_KEY" https://cti.api.crowdsec.net/v2/smoke/1.2.3.4 | jq .
+```
+
+For the full API reference, see the [Swagger documentation](https://crowdsecurity.github.io/cti-api/).
+
+---
+
 | Integration          | Description                                   |
 |---------------------------|----------------------------------------|
 | [Chrome](/cti_api/api_integration/integration_browser_chrome.md)                 | A Chrome extension which allows you to quickly search an IP on a web page       |

crowdsec-docs/unversioned/cti_api/api_integration/integration_intro.md

@@ -4,27 +4,34 @@ title: IPDEX
 sidebar_position: 1
 ---
 
-`ipdex` is a simple CLI tool developed by CrowdSec to gather insight about a list of IPs or an IP using the CrowdSec CTI (Cyber Threat Intelligence) API.
+`ipdex` is a tool developed by CrowdSec to investigate IP reputation using the CrowdSec CTI API. It is available as a **web application** and a **CLI**, and is particularly useful as a Proof of Value tool to assess CrowdSec's threat intelligence coverage across both blocklists and threat intel data.
 
-[Official IPDEX Repository](https://github.com/crowdsecurity/ipdex)
+## Web UI
 
-## Installation
+The [ipdex web app](https://ipdex.crowdsec.net/) lets you upload a list of IPs or a log file and instantly get a reputation report — no installation required.
 
-You can check the [install guide on ipdex repository](https://github.com/crowdsecurity/ipdex?tab=readme-ov-file#1-install).
+![ipdex web UI](/img/ipdex_demo.png)
 
+For full usage documentation, see [ipdex.crowdsec.net/docs](https://ipdex.crowdsec.net/docs).
 
-## Usage
+## CLI
 
-You can check the [user guide on ipdex repository](https://github.com/crowdsecurity/ipdex?tab=readme-ov-file#user-guide).
+The CLI version is available for local use and automation. It connects to the CTI API using your API key.
 
-Here are some screenshot to demonstrate ipdex user experience.
+[Official ipdex repository](https://github.com/crowdsecurity/ipdex)
 
-### Analyzing an IP address
+### Installation
 
-![IP Analyses](/img/ipdex/ipdex_ip.png)
+See the [install guide](https://github.com/crowdsecurity/ipdex?tab=readme-ov-file#1-install) on the ipdex repository.
 
+### Usage
 
-### Analyzing a log file
+See the [user guide](https://github.com/crowdsecurity/ipdex?tab=readme-ov-file#user-guide) on the ipdex repository.
 
+#### Analyzing an IP address
 
-![Log File Analyses](/img/ipdex/ipdex_log_file.png)
+![IP Analysis](/img/ipdex/ipdex_ip.png)
+
+#### Analyzing a log file
+
+![Log File Analysis](/img/ipdex/ipdex_log_file.png)