Merge branch 'main' into 1.6.3-cscli

crowdsec-docs/docs/parsers/patterns-documentation.md

@@ -666,7 +666,7 @@ Pattern :
 
 Pattern :
 ```
-[a-zA-Z][a-zA-Z0-9_.+-=:]+
+[a-zA-Z0-9_.+-=:]+
 ```
 
 ## URIPATHPARAM

crowdsec-docs/sidebarsUnversioned.js

@@ -329,6 +329,7 @@ module.exports = {
                 "integrations/f5",
                 "integrations/fortinet",
                 "integrations/paloalto",
+                "integrations/sophos",
                 "integrations/genericfirewall",
                 "integrations/remediationcomponent",
             ]
@@ -454,6 +455,7 @@ module.exports = {
                         "getting_started/post_installation/console_hub",
                     ],
                 },
+                "getting_started/post_installation/whitelists",
                 {
                     type: "category",
                     label: "Acquisition",

crowdsec-docs/unversioned/console/blocklists/integrations/firewall.md

@@ -36,6 +36,7 @@ Every product product has its way to handle external blocklists. We provide a si
 | [F5](https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-network-firewall-policies-and-implementations-14-0-0/07.html)                                           | Custom     | `192.168.38.187,32,BL,crowdsec-myf5Integration`<br /> `192.168.38.188,32,BL,crowdsec-myf5Integration`                           |
 | [Fortinet](https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/891236/external-blocklist-policy)                                                                     | Plain text | `192.168.38.187`<br />`192.168.38.186`                                                                                          |
 | [Palo Alto](https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list#idf36cb80a-77f1-4d17-9c4b-7efe9fe426af)       | Plain text | `192.168.38.187`<br />`192.168.38.186`                                                                                          |
+| [Sophos](https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/ActiveThreatResponse/ThirdPartyThreatFeeds/index.html)                         | Plain text | `192.168.38.187`<br />`192.168.38.186`                                                                                          |
 | Generic vendor                                                                                                                                                                           | Plain text | `192.168.38.187`<br />`192.168.38.186`                                                                                          |
 
 ## How to bypass provider limit?

crowdsec-docs/unversioned/console/blocklists/subscription.md

@@ -1,11 +1,25 @@
 # Blocklist Subscription
 
-To begin the subscription process, click the _Subscribe_ button at the top of the blocklist details page. This will bring you to the bottom of the page, where you can subscribe to either Security Engines or integrations.
+To begin the subscription process, click the _Subscribe_ button at the top of the blocklist details page. This will open a popup that will allow you to select the subscription method.
 
 ![](/img/console/blocklists/header_point_subscribe.png)
 
 ## Subscribe
 
+You can subscribe to a blocklist at the Organization, Security Engine, or Integration level. On the community plan you can subscribe to 3 blocklists, to remove this limitation you can upgrade to the [enterprise plan](https://www.crowdsec.net/pricing) which includes various perks.
+
+### Organization Level
+
+The simplest way to subscribe to a blocklist is at the organization level. This will apply the blocklist to all Security Engines and Integrations within the organization this will include current and future Security Engines and Integrations.
+
+![](/img/console/blocklists/org_subscribe_popup.png)
+
+:::note
+One remediation type will be applied to all the Security Engines and Integrations subscribed to the blocklist.
+:::
+
+If you want to apply different remediation methods to different Security Engines or Integrations, you will need to subscribe to the blocklist at the Security Engine or Integration level.
+
 ### Security Engines
 
 If your account already includes enrolled Security Engines, you'll find a section at the bottom that can also be used to start the subscription process.
@@ -54,11 +68,11 @@ When performing an action, a popup will prompt to validate the action performed.
 
 ### Integrations
 
-If your organization already has integrations, a section at the bottom can also be used to start the subscription process.
+If your organization already has Integrations, a section at the bottom can also be used to start the subscription process.
 
 ![](/img/console/blocklists/integrations/subscriptions.png)
 
 To subscribe to an integration to the current blocklist, click on the _Subscribe_ button from the desired integration.
-You will now see a different border around the subscribed integrations.
+You will now see a different border around the subscribed Integrations.
 
 ![](/img/console/blocklists/integrations/subscribed.png)

crowdsec-docs/unversioned/console/security_engines/details_page.md

@@ -7,7 +7,7 @@ description: Learn how to view the details of a Security Engine in the CrowdSec
 
 This page will reference information about a specific Security Engine. This page is your one-stop resource for understanding everything related to the Security Engine you're interested in.
 
-![Security Engine details page](/img/console/security_engines/details-page.png)
+![Security Engine details page](/img/console/security_engines/details-page.jpeg)
 
 ## Usage
 
@@ -19,21 +19,35 @@ At the top of the page, the essential information regarding the Security Engine
 
 Quick actions are available from the summary to apply changes to your Security Engine.
 
-- [Update name or tags](/console/security_engines/name_and_tags.md)
-- [Transfer an Engine](/console/security_engines/transfer_engine.md)
-- [Remove an Engine](/console/security_engines/remove_engine.md)
+-   [Update name or tags](/console/security_engines/name_and_tags.md)
+-   [Transfer an Engine](/console/security_engines/transfer_engine.md)
+-   [Remove an Engine](/console/security_engines/remove_engine.md)
 
 ![Security Engine details page](/img/console/security_engines/details-page-actions.png)
 
-### Log Processors
+### Remediation components
 
-The Log Processors section will only be displayed if the Security Engines have multiple log processors, indicating a Distributed Setup. Here, you can access all essential information regarding the log processors and their current version.
+The [remediation component](/bouncers/intro.md) in CrowdSec will apply either the decisions made by CrowdSec, the blocklists or the custom decisions.
 
-:::info
-A warning will be displayed if any Security Engine has an outdated version.
-:::
+![Security Engine details page](/img/console/security_engines/details-page-remediation.png)
 
-![Security Engine details page](/img/console/security_engines/details-page-log-processors.png)
+#### Metrics
+
+Starting from version 1.6.3, CrowdSec’s remediation components now display detailed metrics. These metrics provide valuable insights into the number of traffic drops and the volume of traffic processed by each remediation component.
+
+To access a detailed view of these metrics, simply click the **Get More Info** button on any active remediation component card. This will show you the effectiveness of each decision made by the Security Engine, based on the installed blocklists.
+
+![Security Engine details page](/img/console/security_engines/details-page-remediation-metrics.png)
+
+In the same modal, you can view the active decisions. This section provides information about the number of decisions made by each source of decisions.
+
+![Security Engine details page](/img/console/security_engines/details-page-remediation-decisions.png)
+
+#### Inactive remediation components
+
+Remediation components are meant to block attackers. Having inactive remediation component can compromise the security of your Security Engine, as they cannot apply decisions.
+
+![Security Engine details page](/img/console/security_engines/details-page-inactive-bouncer.png)
 
 ### Blocklists
 
@@ -57,14 +71,12 @@ By clicking on a scenario, you can access essential information about the scenar
 
 ![Security Engine details page](/img/console/security_engines/details-page-scenarios-hub.png)
 
-### Remediation components
-
-The [remediation component](/bouncers/intro.md) in CrowdSec will apply either the decisions made by CrowdSec or the custom decisions. The complete list of decisions from the dedicated section is available at the bottom of the page.
-
-![Security Engine details page](/img/console/security_engines/details-page-remediation.png)
+### Log Processors
 
-#### Inactive remediation components
+The Log Processors section will only be displayed if the Security Engines have multiple log processors, indicating a Distributed Setup. Here, you can access all essential information regarding the log processors and their current version.
 
-Remediation components are meant to block attackers. Having inactive remediation component can compromise the security of your Security Engine, as they cannot apply decisions.
+:::info
+A warning will be displayed if any Security Engine has an outdated version.
+:::
 
-![Security Engine details page](/img/console/security_engines/details-page-inactive-bouncer.png)
+![Security Engine details page](/img/console/security_engines/details-page-log-processors.png)

crowdsec-docs/unversioned/getting_started/next_steps.md

@@ -11,7 +11,18 @@ The CrowdSec Console is a web-based interface provided by CrowdSec, offering a w
 
 See the dedicated [CrowdSec Console](/getting_started/post_installation/console.mdx) guide for more information.
 
-### 2. Acquisitions
+
+### 2. Whitelists
+
+:::info
+Whitelists are a way to tell CrowdSec to ignore certain events or IP addresses.
+:::
+
+By default CrowdSec will whitelist private LAN IP addresses, however you may want to whitelist additional IP addresses or events.
+
+See the dedicated [Whitelists](/getting_started/post_installation/whitelists.mdx) guide for more information.
+
+### 3. Acquisitions
 
 :::info
 Acquisitions are sources of logs that CrowdSec can analyze.
@@ -21,7 +32,7 @@ By default when CrowdSec is installed it will attempt to detect the running serv
 
 See the dedicated [Acquisition](/getting_started/post_installation/acquisition.mdx) guide for more information.
 
-### 3. Profiles
+### 4. Profiles
 
 :::info
 Profiles are a set of rules that drives what decisions will be taken by CrowdSec.
@@ -31,7 +42,7 @@ CrowdSec comes with a default profile that is suitable for most use cases. Howev
 
 See the dedicated [Profiles](/getting_started/post_installation/profiles.mdx) guide for more information.
 
-### 4. Metrics
+### 5. Metrics
 
 :::info
 Metrics are a way to monitor the behavior of CrowdSec.