crowdsec icon indicating copy to clipboard operation
crowdsec copied to clipboard
verified publisher icon crowdsecurity

Improvement - Pass evt.Parsed to the postoverflow event

Open scolastico opened this issue 3 years ago • 1 comments

What would you like to be added?

Pass the evt.Passed variable to the postoverflow event.

Why is this needed?

I think it can be very useful if the evt.Parsed variable is passed to the postoverflow event. This would make it possible to e.g. whitelist individual scenarios based on conditions of evt.Parsed. Currently I don't see any other way to whitelist for example http-crawl-non_statics only on a certain traefik route.

scolastico avatar Aug 05 '22 19:08 scolastico

Hello,

currently, only the Meta dicts of events make it to the overflow object (see https://pkg.go.dev/github.com/crowdsecurity/[email protected]/pkg/models#Alert).

Short term, the simplest way is to ensure relevant info is in the Meta dict, but this change could sense in the future.

buixor avatar Aug 16 '22 15:08 buixor

Hey 👋🏻

We have evaluated this and decided that we would not do this. If you would like to do this then you can create a s02-enrich parser to add the parsed variables to the meta key.

LaurenceJJones avatar Oct 13 '23 12:10 LaurenceJJones