You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I have a case for alert with crowdsecurity/http-bad-user-agent for an IP of Google. So I think it is a false positive and I launch an cscli alerts inspect ID -d to find details. But I can't see where is the problem, I have IP and metadata but I don't have in which log file the match occured and the matched string.
Describe the solution you'd like
It will better to see the one or multiple logs files who is concerned about this alerts and the matched string of the scenarios.
In this case with the two extra matched_file and matched_string sysops can investigate more quickly that in this case this a bad user agent for Google / Google bot are not blocked.
What do you think about this?
The text was updated successfully, but these errors were encountered:
Sorry, completely forgot to answer you 😬
Currently, what appears or not in the cscli alerts inspect output for a given alert depends on the content that was in the Meta dictionary of the events that lead to the given alert. That's why you will see the file paths, but not the bad user-agent (in your example).
It's something that we plan to address in the following way, let me know what you think 😄
Scenarios will allow to specify fields from events (such as evt.Parsed.toto) that needs to be collected an kept. In this way, one can decide what is relevant in the alert when writing the scenario (while know it's unfortunately the parser that decides that).
I take your idea of having the exact source of the event as well, as it's probably very useful !
It allows you to specify any variable/expression etc. to be embedded with the alert, and view them ie. in cscli alerts inspect (and soon to view them in the console too)
Is your feature request related to a problem? Please describe.
I have a case for alert with crowdsecurity/http-bad-user-agent for an IP of Google. So I think it is a false positive and I launch an cscli alerts inspect ID -d to find details. But I can't see where is the problem, I have IP and metadata but I don't have in which log file the match occured and the matched string.
Describe the solution you'd like
It will better to see the one or multiple logs files who is concerned about this alerts and the matched string of the scenarios.
Exemple for this real case :
In this case with the two extra matched_file and matched_string sysops can investigate more quickly that in this case this a bad user agent for Google / Google bot are not blocked.
What do you think about this?
The text was updated successfully, but these errors were encountered: