Severity field in IDF

[kamil-certat]

Severity is expected in IntelMQ for a long time and partially, it's already used by e.g. ShadowServer reports. This implementation is based on their understanding of the field, but with explicit mentioning that operators could adjust it based on their knowledge.

This is not intended to be an ultimate severity classification, but a help for first triage of received events.

As the topic has already been discussed in #2365, I do not open a separated IEP for that. The discussion didn't have a clear outcome, but since then the severity information from Shadowserver has already been implemented and is in use by at least some IntelMQ instances. Implementing it in the default IDF helps wider adoption and prioritisation.

Compatibility: as no bot uses the field by default at the moment, there is no incompatibility risk if the local operator uses modified IDF schema or stores all data in e.g. SQL database. To prevent issues, until the next major release the official bots using the field should fall back to extra.<field name> if the field does not exist in the local IDF.

Close #2365

[sebix]

• missing documentation in docs/user/event.md
• missing documentation in NEWS.md

[sebix]

Upgrade function in intelmq/lib/upgrades to update the harmonization.conf is missing too

[kamil-certat]

@sebix What would you like to add to event.md? This file is generated by this script: https://github.com/certtools/intelmq/blob/aadc8870d95f3d690ae60982b2ea01600daf2a54/scripts/generate-event-docs.py and will be automatically updated based on the harmonisation definition

[sebix]

Looks good now, thanks

[sebix]

@aaronkaplan Do you want to review this before merging?

[aaronkaplan]

renameing v341 -> v342

[sebix]

Rebased on develop, but the version numbers in the upgrade function makes no sense

[aaronkaplan]

okay, @sebix would it be a disaster if we leave the ver numbers now as is and merge?

[sebix]

okay, @sebix would it be a disaster if we leave the ver numbers now as is and merge?

kind of, yes. the version numbers are used by the upgrade function in intelmqctl, which writes the numbering and function names to the state file. leaving wrong numbers where would lead to confusion in the support and when debugging stuff

[sebix]

@aaronkaplan this PR is waiting for your approval

[aaronkaplan]

looks good. I wonder if we should not document it also in docs.

And here is the definiton that shadowserver has:

critical (typically for highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelyhood of compromise. typically for RCE or changing or extracting sensitive data)

high (end of life systems, internal systems that you can log into with authentication that are meant to be internal (SMB, RDP), some data can be leaked. Drones/sinkhole events end up in this category)

medium (risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring MITM to exploit, attacker will need to know internal systems/infrastructure in order to exploit it)

low (deviation from best practice - little to no practical way to exploit, but setup is not ideal)

info (Informational only, no concerns whatsoever)

[sebix]

looks good. I wonder if we should not document it also in docs.

All possible fields of an event are documented in https://docs.intelmq.org/latest/user/event/

It is generated at doc build time.

I added the severity level explanations/examples to the harmonization.conf (and thus to the docs).

Result:

[aaronkaplan]

thanks