Skip to content

Severity field in IDF #2575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: develop
Choose a base branch
from
Open

Severity field in IDF #2575

wants to merge 10 commits into from

Conversation

kamil-certat
Copy link
Contributor

Severity is expected in IntelMQ for a long time and partially, it's already used by e.g. ShadowServer reports. This implementation is based on their understanding of the field, but with explicit mentioning that operators could adjust it based on their knowledge.

This is not intended to be an ultimate severity classification, but a help for first triage of received events.

As the topic has already been discussed in #2365, I do not open a separated IEP for that. The discussion didn't have a clear outcome, but since then the severity information from Shadowserver has already been implemented and is in use by at least some IntelMQ instances. Implementing it in the default IDF helps wider adoption and prioritisation.

Compatibility: as no bot uses the field by default at the moment, there is no incompatibility risk if the local operator uses modified IDF schema or stores all data in e.g. SQL database. To prevent issues, until the next major release the official bots using the field should fall back to extra.<field name> if the field does not exist in the local IDF.

Close #2365

@kamil-certat kamil-certat requested a review from sebix March 3, 2025 14:52
@kamil-certat kamil-certat requested a review from aaronkaplan March 3, 2025 15:02
@sebix sebix added this to the 3.4.0 milestone Mar 3, 2025
sebix
sebix requested changes Mar 3, 2025
View reviewed changes
Copy link
Member

@sebix sebix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • missing documentation in docs/user/event.md
  • missing documentation in NEWS.md

@sebix
Copy link
Member

sebix commented Mar 7, 2025

Upgrade function in intelmq/lib/upgrades to update the harmonization.conf is missing too

sebix
sebix requested changes Apr 3, 2025
View reviewed changes
@kamil-certat
Copy link
Contributor Author

@sebix What would you like to add to event.md? This file is generated by this script: https://github.com/certtools/intelmq/blob/aadc8870d95f3d690ae60982b2ea01600daf2a54/scripts/generate-event-docs.py and will be automatically updated based on the harmonisation definition

sebix
sebix approved these changes Apr 4, 2025
View reviewed changes
Copy link
Member

@sebix sebix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now, thanks

@sebix
Copy link
Member

sebix commented Apr 29, 2025

@aaronkaplan Do you want to review this before merging?

@sebix sebix added the feature Indicates new feature requests or new features label Aug 18, 2025
@sebix sebix modified the milestones: 3.6.0, 3.5.0 Feature Release Aug 20, 2025
aaronkaplan
aaronkaplan requested changes Aug 25, 2025
View reviewed changes
Copy link
Member

@aaronkaplan aaronkaplan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

renameing v341 -> v342

kamil-certat and others added 8 commits August 25, 2025 20:37
@kamil-certat @sebix
Severity field in IDF
85f0caa 
Severity is expected in IntelMQ for a long time and partially, it's
already used by e.g. ShadowServer reports. This implementation is
based on their understanding of the field, but with explicit
mentioning that operators could adjust it based on their knowledge.

This is not intended to be an ultimate severity classification,
but a help for first triage of recived events.

Close certtools#2365
@kamil-certat @sebix
Fix order
036348c
@kamil-certat @sebix
Update CHANGELOG.md
f62cc62 
Co-authored-by: Sebastian <sebix@sebix.at>
@kamil-certat @sebix
Added news entry and upgrade function
8ebb1df
@kamil-certat @sebix
Fix style
c88dfab
@kamil-certat @sebix
Fix tests
5a584b7
@kamil-certat @sebix
Add missing docstring
e8d6bee
@kamil-certat @sebix
Fix handling no event in harmonisation
2c9f753
@sebix
Copy link
Member

sebix commented Aug 25, 2025

Rebased on develop, but the version numbers in the upgrade function makes no sense

@aaronkaplan
Copy link
Member

okay, @sebix would it be a disaster if we leave the ver numbers now as is and merge?

@sebix
Copy link
Member

sebix commented Aug 26, 2025

okay, @sebix would it be a disaster if we leave the ver numbers now as is and merge?

kind of, yes. the version numbers are used by the upgrade function in intelmqctl, which writes the numbering and function names to the state file. leaving wrong numbers where would lead to confusion in the support and when debugging stuff

@sebix sebix requested a review from aaronkaplan August 26, 2025 12:07
@sebix sebix mentioned this pull request Aug 29, 2025
Open
@sebix
Copy link
Member

sebix commented Aug 29, 2025

@aaronkaplan this PR is waiting for your approval

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebix sebix sebix approved these changes

@aaronkaplan aaronkaplan Awaiting requested review from aaronkaplan

Assignees

@aaronkaplan aaronkaplan

Labels
data-format feature Indicates new feature requests or new features
Projects
None yet
Milestone
3.5.0 Feature Release
Development

Successfully merging this pull request may close these issues.

Needed in the IDF (intelmq data format): severity
3 participants
@kamil-certat @sebix @aaronkaplan