Dear IntelMQ users
The latest IntelMQ release, version 3.5.0, introduced a new field named 'severity' with its possible values critical, high, medium, low, info, and undefined.
If you have incoming data that places the severity information in the 'extra.severity' field, but you want it in the 'severity' field, you can use a workaround using a Modify expert.
For example, this is necessary for all data coming from Shadowserver.
Howto:
The attached configuration for the Modify expert contains two rules:
Of course, you can also add these two rules to an existing Modify expert to keep your configuration small.
To test if your newly updated configuration works, you can use the commands below.
Please let us know if this is helpful to you or if you have any further questions.
Best regards
Sebastian
The test commands:
intelmqctl run severity-expert process --dryrun --show-sent --msg
'{}'
-> this results in the fallback {"severity": "undefined"}
intelmqctl run severity-expert process --dryrun --show-sent --msg
'{"extra.severity": "high"}'
-> this results in {"extra.severity": "high", "severity":
"high"}
intelmqctl run severity-expert process --dryrun --show-sent --msg
'{"extra.severity": "high", "severity": "low"}'
-> this results in no change: {"extra.severity": "high",
"severity": "low"}
-- Institute for Common Good Technology gemeinnütziger Kulturverein - nonprofit cultural society https://commongoodtechnology.org/ ZVR 1510673578