Mad lad update 2

crowdsecurity · Oct 11, 2023 · e27f5ed · e27f5ed
1 parent 2dec2ae
commit e27f5ed
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/crowdsec-docs/docs/profiles/cti_profile.md b/crowdsec-docs/docs/profiles/cti_profile.md
@@ -63,4 +63,23 @@ decisions:
  - type: ban
    duration: 4h
 on_success: break
+```
+
+Send a notification about a potential false positive to theHive and break the alert evaluation:
+
+```yaml
+name: false_positive
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip" && CrowdsecCTI(Alert.GetValue()).IsFalsePositive()
+notifications:
+    - http_hive
+on_success: break
+---
+name: default_ip_remediation
+filters:
+ - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+ - type: ban
+   duration: 4h
+on_success: break
 ```
diff --git a/crowdsec-docs/docs/profiles/format.md b/crowdsec-docs/docs/profiles/format.md
@@ -118,27 +118,36 @@ It relies on [expr helpers](/expr/intro.md).
 ### `on_success`
 
 ```yaml
-on_success: break
+on_success: continue|break
 ```
 
 If the profile applies and `on_success` is set to `break`, decisions processing will stop here and it won't evaluate against following profiles.
 
+- `continue` will apply the profile even if the filter expression generates an error. (DEFAULT)
+- `break` will stop the processing of the alert if the filter expression generates an error.
 ### `on_failure`
 
 ```yaml
-on_failure: break
+on_failure: continue|break
 ```
 
 If the profile didn't apply and `on_failure` is set to `break`, decisions processing will stop here and it won't evaluate against following profiles.
 
+- `continue` will continue to the next profile if the filter expression generates an error. (DEFAULT)
+- `break` will stop the processing of the alert if the filter expression generates an error. 
 ### `on_error`
 
 ```yaml
-on_error: continue
+on_error: continue|break|apply|ignore
 ```
 
 If the filter expression generates an error, this would normally stop the alert from being processed to prevent a potential unwanted outcome.
 
+- `break` will stop the processing of the alert if the filter expression generates an error. (DEFAULT)
+- `continue` will continue to the next profile if the filter expression generates an error.
+- `apply` will apply the profile even if the filter expression generates an error.
+- `ignore` will ignore the error and continue to the next profile.
+
 However, there may be some expressions that do generate expected errors for example, when using the [CTI helpers](/expr/cti_helpers.md) it may throw a rate limit error.
 
 ### `notifications`