Skip to content

fix(log-shipper): derive event severity from anomaly score and action#242

Merged
bihius merged 2 commits into
mainfrom
fix/log-shipper-severity
Jun 12, 2026
Merged

fix(log-shipper): derive event severity from anomaly score and action#242
bihius merged 2 commits into
mainfrom
fix/log-shipper-severity

Conversation

@bihius

@bihius bihius commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

  • Most CRS attack rules carry severity "critical", so copying it verbatim made nearly every blocked request register as a critical alert, collapsing the "Blocked requests" and "Critical alerts" dashboard cards into the same number (Analiza HAProxy + SPOE protocol #1)
  • Event severity is now derived: a high anomaly score (>= 10, twice the CRS default inbound threshold) is "critical" regardless of whether the request was blocked, so DetectionOnly policies still surface real attacks; other blocked events are "error", and non-blocked events are capped at "warning"
  • The anomaly score is also parsed from the 949110 blocking message as a fallback, since coraza-spoa v0.6.1 doesn't expose transaction.variables
  • Track src/log-shipper/uv.lock for reproducible installs, consistent with src/backend/uv.lock

Test plan

  • uv run --extra dev pytest tests/ (28 passed, including new detect-only-critical and blocked-error cases)
  • uv run --extra dev mypy app/

bihius and others added 2 commits June 11, 2026 23:00
@bihius @claude
fix(log-shipper): derive event severity from anomaly score and action
4ddd6f6 
Most CRS attack rules carry severity "critical", so copying it verbatim
made nearly every blocked request register as a critical alert,
collapsing the "Blocked requests" and "Critical alerts" dashboard cards
into the same number.

Event severity is now derived: a high anomaly score (>= 10, twice the CRS
default inbound threshold) is "critical" regardless of whether the request
was blocked, so DetectionOnly policies still surface real attacks; other
blocked events are "error", and non-blocked events are capped at "warning".
The anomaly score is also parsed from the 949110 blocking message as a
fallback for coraza-spoa v0.6.1, which doesn't expose transaction.variables.

Track src/log-shipper/uv.lock for reproducible installs, consistent with
src/backend/uv.lock.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@bihius
fix(log-shipper): preserve detect-only allow actions
7b01c10
@bihius bihius merged commit d6446e1 into main Jun 12, 2026
3 checks passed
bihius added a commit that referenced this pull request Jun 12, 2026
@bihius
Merge pull request #242 from bihius/fix/log-shipper-severity
99eb1f6 
fix(log-shipper): derive event severity from anomaly score and action
@bihius bihius deleted the fix/log-shipper-severity branch June 14, 2026 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bihius