You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sometimes a user want to not send a notification because of certain machine ID or edge case. The current way to create a duplicate profile with the filter altered to pick up on the edge case. I purpose we create a notification_filter expression to purely filter this when it comes to notification rather than bloating by adding a duplicate profiles.
Current way:
name: ignore_machine#debug: truefilters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.MachineID in ['XXXXX']decisions:
- type: banduration: 4hon_success: break
---
name: default_ip_remediation#debug: truefilters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"decisions:
- type: banduration: 4hnotifications:
- slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break
Desired way:
name: default_ip_remediationfilters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"decisions:
- type: banduration: 4hnotification_filters:
- Alert.MachineID not in ['XXXXX']# Note it has to be inverted to return true when not in the array rather than previous way which needed to return true if it is in arraynotifications:
- slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.on_success: break
/kind enhancement
Why is this needed?
This will prevent users having complex profiles just for notifcation purposes when we can just create a filter for notifications
Currently users may like a single filter to enter the profile and creating 2 filters may cause complexity. However, in my eyes I do not see this as an issue as the user can do both but if they want to slim down the profile use the notification filter instead.
The text was updated successfully, but these errors were encountered:
Check Releases to make sure your agent is on the latest version.
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
@LaurenceJJones: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.
/kind feature
/kind enhancement
/kind bug
/kind packaging
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
What would you like to be added?
Sometimes a user want to not send a notification because of certain machine ID or edge case. The current way to create a duplicate profile with the filter altered to pick up on the edge case. I purpose we create a
notification_filter
expression to purely filter this when it comes to notification rather than bloating by adding a duplicate profiles.Current way:
Desired way:
/kind enhancement
Why is this needed?
This will prevent users having complex profiles just for notifcation purposes when we can just create a filter for notifications
Currently users may like a single filter to enter the profile and creating 2 filters may cause complexity. However, in my eyes I do not see this as an issue as the user can do both but if they want to slim down the profile use the notification filter instead.
The text was updated successfully, but these errors were encountered: