ENH: Caching, advanced mapping and separating events for MISP Feed output bot#2509
ENH: Caching, advanced mapping and separating events for MISP Feed output bot#2509sebix merged 23 commits intocerttools:developfrom
Conversation
kamil-certat
force-pushed
the
misp_feed_mapping
branch
3 times, most recently
from
b4f2e68 to
0e0b949
Compare
|
Yeah, finally green 🎉 |
|
Are you using it in production? |
|
We started using it on staging, found some pain points, and now I'll test it & hopefully promote to prod in a few days - so, not yet, but soon ;) |
|
There's not much I can check here without reading the MISP code and docs and setting up an instance. Maybe @Rafiot, can you have a glimpse? |
aaronkaplan
left a comment
aaronkaplan
left a comment
There was a problem hiding this comment.
minor changes requested pls.
docs/user/bots.md
Outdated
There was a problem hiding this comment.
this is not 100% clear for me yet:
will it collect events until (... until when?...) and then sort and group by this viel?
I think rephrasing this slightly makes it clearer in the documentaiton.
There was a problem hiding this comment.
What do you think about the current version?
will it collect events until (... until when?...) and then sort and group by this viel?
This field is responsible only for separating using the field. Collecting & holding is a different setting, that can be used together, but you don't have to. Let's have a look at the new description
There was a problem hiding this comment.
Disagree it's needed here.
|
My main request is:
|
|
Thanks for the review! re 1: It's a good idea, I'll look into it. I was concentrated on what we actually need, and I do think there are more things we can improve in the bot. |
kamil-certat
force-pushed
the
misp_feed_mapping
branch
from
246e181 to
05f4aef
Compare
|
Could you have a look again? I have implemented tagging as well as rewritten the documentation, added config examples, implemented validation in the I do admit that the configuration of the bot is complex. I did my best to marriage flexibility and readability, but I think in the future we may eventually redesign this configuration, based on feedback. I'm also open for any suggestions. |
|
@aaronkaplan you requested some changes to this PR and @kamil-certat implemented various changes based on your feedback. Can you please re-check? |
|
@aaronkaplan this PR is waiting for your approval |
|
Still need to test against a misp server |
Generating MISP feed on every incoming message slows down processing. The new config option let us decide to save them in batches. Cached events are stored in a cache list in Redis. In addition, a code related to Python 3.6 was removed as we do not support this version any more.
The bot can now construct an event much more alligned to custom needs, allowing setting comments and selecting just a subset of fields to export
sebix
force-pushed
the
misp_feed_mapping
branch
from
5f3f474 to
378a064
Compare
sebix
force-pushed
the
misp_feed_mapping
branch
from
378a064 to
6577a90
Compare
As discussed yesterday, I'll take this over |
sebix
left a comment
sebix
left a comment
There was a problem hiding this comment.
Found problems in the docs and in the changes of the cache mixin
|
I'm working on a few improvements / additional requirements right now, a new code should come today or tomorrow. I'll then address comments |
|
Documentation for the new parameter |
|
I'm aware of that, I'll adjust documentation tomorrow |
|
I also have to add matching unit tests ;) |
sebix
dismissed
aaronkaplan’s stale review
requested changes were implemented
|
BTW, all methods were documented in bot-development 🤔 |
Oh, sorry. I don't know where I was looking. |
3 participants
MISP Feed output bot got new features:
The bot is fully backward-compatible. By default, the previous behaviour is kept.
In addition, code related to Python 3.6 was removed and the message library was fixed not to modify the original dict instance.
This PR replaces on PR #2505.