Standardize authentication meta fields across parsers and scenarios #1617
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Replace log_type with auth_status (failed/success) for authentication events - Consolidate user/username fields into target_user meta field - Update all authentication-related parsers to use new standardized fields - Update all dependent scenarios (brute force, impossible travel, user enumeration) - Create new auth-generic-test scenario for generic authentication failure testing - Update all parser and scenario test files with new assert files - Ensure all service names are unique (proftpd, vsftpd, joplin, etc.) - Add test log lines with magic username to all suitable parsers
…of sub_type - Update mail-generic-bf scenario filter from sub_type to auth_status - Update distinct field from username to target_user - Regenerate scenario assert file with new meta fields
- Update sonarr-bf scenario: use auth_status instead of log_type, target_user instead of username - Update radarr-bf scenario: use auth_status instead of log_type, target_user instead of username - Update prowlarr-bf scenario: use auth_status instead of log_type, target_user instead of username - Regenerate assert files for sonarr-bf, radarr-bf, and prowlarr-bf tests
- Update sftpgo-bf scenario filter from log_type to auth_status - Regenerate scenario assert file
… name - Update filters to use auth_status and service - Rename user enum scenario to avoid duplicate name conflict - Update distinct field from username to target_user - Regenerate scenario assert file
- Remove log_subtype meta field from zoneminder parser - Update scenarios to use only auth_status, rely on distinct field for user enumeration detection - Both scenarios now use the same filter, distinction handled by distinct field in user-enum scenario - Regenerate assert file
- Replace log_type with auth_status (failed/success) for authentication events - Consolidate user, username, and target_user fields into target_user - Update all dependent scenarios to use new standardized fields - Create generic authentication test scenario (auth-generic-test) - Update all test assert files to reflect new meta fields - Remove parser.assert files from tests with ignore_parsers: true - Fix dovecot-logs parser.assert to use auth_status instead of dovecot_login_result - Fix cpanel-logs and cpanel_bf_attempt assert files - Ensure all service names are unique - Update impossible travel scenarios to use auth_status and target_user
LaurenceJJones
force-pushed
the
standardize-auth-meta-fields
branch
from
91bc78a to
26e7949
Compare
…ail service to nginxmail Signed-off-by: Laurence <[email protected]>
LaurenceJJones
force-pushed
the
standardize-auth-meta-fields
branch
from
26e7949 to
f5f6126
Compare
LaurenceJJones
commented
Dec 24, 2025
| results[0].Overflow.Alert.GetScenario() == "crowdsecurity/exim-bf" | ||
| results[0].Overflow.Alert.Remediation == true | ||
| results[0].Overflow.Alert.GetEventsCount() == 6 | ||
| "1.2.3.4" in results[1].Overflow.GetSources() |
Member
Author
There was a problem hiding this comment.
need to investigate
LaurenceJJones
commented
Dec 24, 2025
Member
Author
There was a problem hiding this comment.
regenerate parser fully
LaurenceJJones
commented
Dec 24, 2025
Member
Author
There was a problem hiding this comment.
need to review logic here
- Update impossible-travel.md and impossible-travel-user.md to reflect correct meta field requirements (auth_status, target_user instead of log_type, user) - Add comprehensive README for auth-generic-test scenario with examples for both username and email formats - Include requirements, expected results, and service-specific examples
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR standardizes authentication meta fields across the CrowdSec hub by replacing inconsistent log_type values with a standardized auth_status field (failed/success) and consolidating user identifiers into a single target_user field. The changes affect 74 parsers and 73+ scenarios (brute force, impossible travel, user enumeration), ensuring consistent authentication event handling. A new generic auth-generic-test scenario enables unified testing across services. All test files have been updated accordingly.
Checklist