Skip to content

Severity field in IDF #2575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: develop
Choose a base branch
from
Open

Severity field in IDF #2575

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
85f0caa
Severity field in IDF
kamil-certat Mar 3, 2025
036348c
Fix order
kamil-certat Mar 3, 2025
f62cc62
Update CHANGELOG.md
kamil-certat Apr 3, 2025
8ebb1df
Added news entry and upgrade function
kamil-certat Apr 3, 2025
c88dfab
Fix style
kamil-certat Apr 3, 2025
5a584b7
Fix tests
kamil-certat Apr 3, 2025
e8d6bee
Add missing docstring
kamil-certat Apr 3, 2025
2c9f753
Fix handling no event in harmonisation
kamil-certat Apr 9, 2025
ab385f7
Simplify and fix upgrade function
kamil-certat Apr 9, 2025
40ca450
fix upgrade functions version numbers
sebix Aug 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ Please refer to the [NEWS](NEWS.md) for a list of changes which have an affect o
### Development

### Data Format

- Implementing [IEP009](https://github.com/certtools/ieps/tree/main/009) introducing fields to
identify products and vulnerabilities: `product.full_name`, `product.name`, `product.vendor`,
`product.version`, `product.vulnerabilities`. To store in existing PostgreSQL instances, a following
Expand All @@ -38,6 +37,8 @@ Please refer to the [NEWS](NEWS.md) for a list of changes which have an affect o
ALTER TABLE events ADD "product.version" text;
ALTER TABLE events ADD "product.vulnerabilities" text;
```
- added `severity` field to help with triaging received events (PR#2575 by Kamil Mańkowski).
To allow saving the field in PostgreSQL database in existing installations, the following schema update is necessary: `ALTER TABLE events ADD severity varchar(10);`.

### Bots
#### Collectors
Expand Down
1 change: 1 addition & 0 deletions NEWS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ ALTER TABLE events ADD "product.name" text;
ALTER TABLE events ADD "product.vendor" text;
ALTER TABLE events ADD "product.version" text;
ALTER TABLE events ADD "product.vulnerabilities" text;
ALTER TABLE events ADD severity varchar(10);
```

### Configuration
Expand Down
6 changes: 6 additions & 0 deletions intelmq/etc/harmonization.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,12 @@
"description": "Some source may report URLs related to a an image generated of a resource without any metadata. Or an URL pointing to resource, which has been rendered into a webshot, e.g. a PNG image and the relevant metadata related to its retrieval/generation.",
"type": "URL"
},
"severity": {
"description": "Severity of the event, based on the information from the source, and eventually modified by IntelMQ during processing. Meaning of the levels may differ based on the event source.",
"length": 10,
"regex": "^(critical|high|medium|low|info|undefined)$",
"type": "LowercaseString"
},
"source.abuse_contact": {
"description": "Abuse contact for source address. A comma separated list.",
"type": "LowercaseString"
Expand Down
12 changes: 6 additions & 6 deletions intelmq/lib/upgrades.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,8 @@
'v322_url_replacement',
'v322_removed_feeds_and_bots',
'v340_deprecations',
'v341_blueliv_removal',
'v342_new_fields'
'v350_blueliv_removal',
'v350_new_fields',
]


Expand Down Expand Up @@ -976,7 +976,7 @@ def v340_deprecations(configuration, harmonization, dry_run, **kwargs):
return message or changed, configuration, harmonization


def v341_blueliv_removal(configuration, harmonization, dry_run, **kwargs):
def v350_blueliv_removal(configuration, harmonization, dry_run, **kwargs):
"""
Remove blueliv collector and parser
"""
Expand All @@ -999,7 +999,7 @@ def v341_blueliv_removal(configuration, harmonization, dry_run, **kwargs):
return message, configuration, harmonization


def v342_new_fields(configuration, harmonization, dry_run, **kwargs):
def v350_new_fields(configuration, harmonization, dry_run, **kwargs):
"""
Add new fields to IntelMQ Data Format
"""
Expand All @@ -1011,6 +1011,7 @@ def v342_new_fields(configuration, harmonization, dry_run, **kwargs):
resource_filename("intelmq", "etc/harmonization.conf")
)
for field in [
"severity",
"product.full_name",
"product.name",
"product.vendor",
Expand Down Expand Up @@ -1056,8 +1057,7 @@ def v342_new_fields(configuration, harmonization, dry_run, **kwargs):
((3, 3, 0), ()),
((3, 3, 1), ()),
((3, 4, 0), (v340_deprecations, )),
((3, 4, 1), (v341_blueliv_removal, )),
((3, 4, 2), (v342_new_fields, )),
((3, 5, 0), (v350_blueliv_removal, v350_new_fields)),
])

ALWAYS = (harmonization,)
1 change: 1 addition & 0 deletions intelmq/tests/bin/initdb.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ CREATE TABLE events (
"raw" text,
"rtir_id" integer,
"screenshot_url" text,
"severity" varchar(10),
"source.abuse_contact" text,
"source.account" text,
"source.allocated" timestamp with time zone,
Expand Down
17 changes: 10 additions & 7 deletions intelmq/tests/lib/test_upgrades.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -616,7 +616,7 @@
"module": "intelmq.bots.collectors.twitter.collector",
},
}
V341_BLUELIV_REMOVAL = {
V350_BLUELIV_REMOVAL = {
"global": {},
"blueliv-collector": {
"module": "intelmq.bots.collectors.blueliv.collector_crimeserver"
Expand Down Expand Up @@ -865,23 +865,26 @@ def test_v340_twitter_collector(self):
self.assertIn('twitter-collector', result[0])
self.assertEqual(V340_TWITTER_COLLECTOR_IN, result[1])

def test_v341_blueliv_removal(self):
""" Test v341_blueliv_removal deprecation warning """
result = upgrades.v341_blueliv_removal(V341_BLUELIV_REMOVAL, {}, False)
def test_v350_blueliv_removal(self):
""" Test v350_blueliv_removal deprecation warning """
result = upgrades.v350_blueliv_removal(V350_BLUELIV_REMOVAL, {}, False)
self.assertIn('blueliv-collector', result[0])
self.assertIn('blueliv-parser', result[0])
self.assertEqual(V341_BLUELIV_REMOVAL, result[1])
self.assertEqual(V350_BLUELIV_REMOVAL, result[1])

def test_v342_new_fields(self):
def test_v350_new_fields(self):
""" Test adding new harmonisation fields """
result = upgrades.v342_new_fields({}, {"event": {"old-field": "must stay"}}, False)
result = upgrades.v350_new_fields({}, {"event": {"old-field": "must stay"}}, False)
self.assertTrue(result[0])
self.assertIn("old-field", result[2]["event"])
self.assertIn("product.full_name", result[2]["event"])
self.assertIn("product.name", result[2]["event"])
self.assertIn("product.vendor", result[2]["event"])
self.assertIn("product.version", result[2]["event"])
self.assertIn("product.vulnerabilities", result[2]["event"])
self.assertIn("old-field", result[2]["event"])
self.assertIn("severity", result[2]["event"])


for name in upgrades.__all__:
setattr(TestUpgradeLib, 'test_function_%s' % name,
Expand Down
Loading