Dear IntelMQ users

The latest IntelMQ release, version 3.5.0, introduced a new field named 'severity' with its possible values critical, high, medium, low, info, and undefined.

If you have incoming data that places the severity information in the 'extra.severity' field, but you want it in the 'severity' field, you can use a workaround using a Modify expert.

For example, this is necessary for all data coming from Shadowserver.

Howto:

1. Add a Modify Expert, e.g., named 'severity-modify-expert', to your dataflow and put it somewhere after the parsers. 2. Set the configuration path to e.g. /var/lib/intelmq/bots/modify/severity.conf 3. Put the content of the attached file into this file. 4. Start the bot and reload it right before the new 'severity-modify-expert' is introduced. Thisis doneautomatically if you use the IntelMQ Manager.

The attached configuration for the Modify expert contains two rules:

1. If the 'extra.severity' field exists (is not empty), but the 'severity' field does not (is empty), use the value of the latter for the first. 2. Otherwise, if both fields do not exist (are empty), set the default value 'undefined'

Of course, you can also add these two rules to an existing Modify expert to keep your configuration small.

To test if your newly updated configuration works, you can use the commands below.

Please let us know if this is helpful to you or if you have any further questions.

Best regards

Sebastian

The test commands:

intelmqctl run severity-expert process --dryrun --show-sent --msg '{}' -> this results in the fallback {"severity": "undefined"}

intelmqctl run severity-expert process --dryrun --show-sent --msg '{"extra.severity": "high"}' -> this results in {"extra.severity": "high", "severity": "high"}

intelmqctl run severity-expert process --dryrun --show-sent --msg '{"extra.severity": "high", "severity": "low"}' -> this results in no change: {"extra.severity": "high", "severity": "low"}