Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Profile notification filter #2327

Open
LaurenceJJones opened this issue Jul 4, 2023 · 3 comments
Open

Profile notification filter #2327

LaurenceJJones opened this issue Jul 4, 2023 · 3 comments
Labels
needs/kind needs/triage

Comments

@LaurenceJJones
Copy link
Contributor

LaurenceJJones commented Jul 4, 2023
edited

What would you like to be added?

Sometimes a user want to not send a notification because of certain machine ID or edge case. The current way to create a duplicate profile with the filter altered to pick up on the edge case. I purpose we create a notification_filter expression to purely filter this when it comes to notification rather than bloating by adding a duplicate profiles.

Current way:

name: ignore_machine
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.MachineID in ['XXXXX']
decisions:
 - type: ban
   duration: 4h
on_success: break
---
name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
notifications:
  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break

Desired way:

name: default_ip_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
notification_filters:
  - Alert.MachineID not in ['XXXXX']
# Note it has to be inverted to return true when not in the array rather than previous way which needed to return true if it is in array
notifications:
  - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break

/kind enhancement

Why is this needed?

This will prevent users having complex profiles just for notifcation purposes when we can just create a filter for notifications

Currently users may like a single filter to enter the profile and creating 2 filters may cause complexity. However, in my eyes I do not see this as an issue as the user can do both but if they want to slim down the profile use the notification filter instead.
@github-actions
Copy link

github-actions bot commented Jul 4, 2023

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions
Copy link

github-actions bot commented Jul 4, 2023

@LaurenceJJones: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

  • /kind feature
  • /kind enhancement
  • /kind bug
  • /kind packaging
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@LaurenceJJones LaurenceJJones mentioned this issue Jul 6, 2023
Draft
@MrAlucardDante
Copy link

/kind enhancement

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs/kind needs/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MrAlucardDante @LaurenceJJones