|
| 1 | +# IEP008: IntelMQ Data Format: Constituency field |
| 2 | + |
| 3 | +At present, an event message describes the affected parties, but does not contain any information |
| 4 | +about logical grouping of them, which may be important to the system operator. Today, more and more |
| 5 | +teams act as CSIRT/CERTs for multiple constituencies and therefore may need to handle some parts of the workflow differently. |
| 6 | + |
| 7 | +This proposal introduces an additional field in the IDF to handle information about the |
| 8 | +related constituency. |
| 9 | + |
| 10 | +## Background |
| 11 | + |
| 12 | +Support for constituencies is already spreading throughout the IntelMQ world, for example the Tuency |
| 13 | +API is designed to return tenant names as constituencies in the API for integration with IntelMQ |
| 14 | +[[1]](https://gitlab.com/intevation/tuency/tuency/-/blob/master/backend/docs/IntelMQ-API.md#data-structure-of-the-result). |
| 15 | + |
| 16 | +## Use cases |
| 17 | + |
| 18 | +Consider the workflow where Tuency or another bot (e.g. Sieve) sets the correct constituency field |
| 19 | +depending on the source concerned. Then the following use cases could be easier: |
| 20 | + |
| 21 | + * the part responsible for sending notifications can choose the right communication channel |
| 22 | + (e.g. the right ticketing system, outgoing email address, etc.); |
| 23 | + * They can filter out or escalate certain types of events depending on the constituency affected. |
| 24 | + |
| 25 | +## Solution considerations |
| 26 | + |
| 27 | +It is possible to create a more or less restrictive solution to the problem. |
| 28 | + |
| 29 | +The more restrictive solution would be |
| 30 | + * Define a strongly validated field that only allows certain values (enum), |
| 31 | + * Allow the operator to configure the supported constituencies at the IntelMQ level. |
| 32 | + |
| 33 | +To achieve this, the IDF would need to be modified, as well as IntelMQ itself, since the current |
| 34 | +configuration is focused on bots and not on changing IDF field values. On the other hand, |
| 35 | +it prevents the possibility of inadvertently configuring bots with the wrong names without noticing. |
| 36 | + |
| 37 | +The less restrictive solution is to simply add a string field to the IDF. With this approach |
| 38 | +implementation is transparent for single constituency setups, and in more complex cases, all |
| 39 | +validation can still be done using additional bots, e.g. Sieve or Filter experts. |
| 40 | + |
| 41 | +There is also the question of whether we should allow one or more constituencies to be defined |
| 42 | +in the event. However, the philosophy of IntelMQ is strongly oriented towards processing single |
| 43 | +pieces of information. Assigning multiple constituencies to an event would, in my opinion, break this |
| 44 | +philosophy, and the proposal of multiple values has already been rejected [[2]](https://github.com/certtools/ieps/tree/main/003). |
| 45 | + |
| 46 | +Therefore, I suggest that for cases where multiple assignments are possible, the IntelMQ operator |
| 47 | +should configure the workflow to create or save the event multiple times with multiple |
| 48 | +and finally define a way to correlate them. |
| 49 | + |
| 50 | +## Proposal |
| 51 | + |
| 52 | +Because of the simplicity, I've chosen to propose adding a simple text field in the IDF, defined as: |
| 53 | + |
| 54 | +``` |
| 55 | +"constituency": { |
| 56 | + "description": "Internal identifier for multi-constituency setup", |
| 57 | + "length": 10, |
| 58 | + "type": "String" |
| 59 | +} |
| 60 | +``` |
| 61 | + |
| 62 | +This should only be added to the `event` schema. |
0 commit comments