Alert with multiple sources: only the last source is kept

[AlteredCoder]

What happened?

I experimenting stuff with the scenario "crowdsecurity/auditd-postexploit-exec-from-net". I'm triggering this scenario and have a custom bouncer that will kill the PID of the process when an alert is triggered. Currently, in this scenario, we put in the scope of the alert the "PPID" of the process (for notification I guess), but for the bouncer part, I need the PID of the last event to be killed (and not the PPID).

So I replaced evt.Meta.ppid by evt.Meta.pid in the expression field of the scope section, as below:

scope:
  type: pid
  expression: evt.Meta.pid

The problem is that four decisions are generated when I trigger the scenario (because four events are in the bucket). But each decisions has the PID of the last event (which is ok for my case, but it is still a bug):

time="05-10-2023 15:30:08" level=info msg="(11c1e4655bc54250b10c4e8d5ee47a22lrT49Y3WOXhIAKdy/crowdsec) crowdsecurity/auditd-postexploit-exec-from-net by pid 2080185 : 1h kill on pid 2080185"
time="05-10-2023 15:30:08" level=info msg="(11c1e4655bc54250b10c4e8d5ee47a22lrT49Y3WOXhIAKdy/crowdsec) crowdsecurity/auditd-postexploit-exec-from-net by pid 2080185 : 1h kill on pid 2080185"
time="05-10-2023 15:30:08" level=info msg="(11c1e4655bc54250b10c4e8d5ee47a22lrT49Y3WOXhIAKdy/crowdsec) crowdsecurity/auditd-postexploit-exec-from-net by pid 2080185 : 1h kill on pid 2080185"
time="05-10-2023 15:30:08" level=info msg="(11c1e4655bc54250b10c4e8d5ee47a22lrT49Y3WOXhIAKdy/crowdsec) crowdsecurity/auditd-postexploit-exec-from-net by pid 2080185 : 1h kill on pid 2080185"

Here is the output of cscl alert inspect (I kept only the interesting fields):

 - Reason       : crowdsecurity/auditd-postexploit-exec-from-net
 - Events Count : 4
 - Scope:Value  : pid:2080185
...
...
...
 - Events  :

- Date: 2023-10-05 15:30:08 +0000 UTC
╭─────────────────┬──────────────────────────╮
│       Key       │          Value           │
├─────────────────┼──────────────────────────┤
│ euid            │ 33                       │
├─────────────────┼──────────────────────────┤
│ exe             │ /usr/bin/ping            │
├─────────────────┼──────────────────────────┤
│ gid             │ 33                       │
├─────────────────┼──────────────────────────┤
│ log_type        │ execve                   │
├─────────────────┼──────────────────────────┤
│ parent_progname │ /usr/bin/dash            │
├─────────────────┼──────────────────────────┤
│ pid             │ 2080182                  │
├─────────────────┼──────────────────────────┤
│ ppid            │ 2080181                  │
├─────────────────┼──────────────────────────┤
│ uid             │ 33                       │
╰─────────────────┴──────────────────────────╯

- Date: 2023-10-05 15:30:08 +0000 UTC
╭─────────────────┬──────────────────────────╮
│       Key       │          Value           │
├─────────────────┼──────────────────────────┤
│ euid            │ 33                       │
├─────────────────┼──────────────────────────┤
│ exe             │ /usr/bin/curl            │
├─────────────────┼──────────────────────────┤
│ gid             │ 33                       │
├─────────────────┼──────────────────────────┤
│ log_type        │ execve                   │
├─────────────────┼──────────────────────────┤
│ parent_progname │ /usr/bin/dash            │
├─────────────────┼──────────────────────────┤
│ pid             │ 2080183                  │
├─────────────────┼──────────────────────────┤
│ ppid            │ 2080181                  │
├─────────────────┼──────────────────────────┤
│ uid             │ 33                       │
╰─────────────────┴──────────────────────────╯

- Date: 2023-10-05 15:30:08 +0000 UTC
╭─────────────────┬──────────────────────────╮
│       Key       │          Value           │
├─────────────────┼──────────────────────────┤
│ euid            │ 33                       │
├─────────────────┼──────────────────────────┤
│ exe             │ /usr/bin/chmod           │
├─────────────────┼──────────────────────────┤
│ gid             │ 33                       │
├─────────────────┼──────────────────────────┤
│ log_type        │ execve                   │
├─────────────────┼──────────────────────────┤
│ parent_progname │ /usr/bin/dash            │
├─────────────────┼──────────────────────────┤
│ pid             │ 2080184                  │
├─────────────────┼──────────────────────────┤
│ ppid            │ 2080181                  │
├─────────────────┼──────────────────────────┤
│ uid             │ 33                       │
╰─────────────────┴──────────────────────────╯

- Date: 2023-10-05 15:30:08 +0000 UTC
╭─────────────────┬──────────────────────────╮
│       Key       │          Value           │
├─────────────────┼──────────────────────────┤
│ exe             │ /tmp/backdoor.sh         │
├─────────────────┼──────────────────────────┤
│ gid             │ 33                       │
├─────────────────┼──────────────────────────┤
│ log_type        │ execve                   │
├─────────────────┼──────────────────────────┤
│ parent_progname │ /usr/bin/dash            │
├─────────────────┼──────────────────────────┤
│ pid             │ 2080185                  │
├─────────────────┼──────────────────────────┤
│ ppid            │ 2080181                  │
├─────────────────┼──────────────────────────┤
│ uid             │ 33                       │
╰─────────────────┴──────────────────────────╯

And we can see that the source of the alert is the PID of the last event.

What did you expect to happen?

I would like to be able to specify (in the scenario or maybe in the profile directly) the PID of which event I want in the scope if I want only one decision to be generated. For example, if we do this directly in the scenario, it would be something like this (if I want to generate a decision only on the PID of the last event):

scope:
    type: pid
    expression: queue.queue[-1].Meta.pid

Or it can also be the PID of which events if I want to generate multiple decisions (if I want to generate a decision only for the PID of the first and last event):

scope:
  - type: pid
   expression: queue.queue[0].Meta.pid
 - type: pid
   expression: queue.queue[-1].Meta.pid

How can we reproduce it (as minimally and precisely as possible)?

• Install the crowdsecurity/auditd collection
• Change the scope expression in the crowdsecurity/auditd-postexploit-exec-from-net scenario by evt.Meta.pid
• Trigger the scenario
• You should see X decisions but the value of all of them is always the PID of the last event in the bucket

Anything else we need to know?

No response

Crowdsec version

```console 2023/10/05 15:54:31 version: v1.5.4-debian-pragmatic-amd64-e4dcdd25728b914823525f1efabf18d5c454902b 2023/10/05 15:54:31 Codename: alphaga 2023/10/05 15:54:31 BuildDate: 2023-09-20_10:36:53 2023/10/05 15:54:31 GoVersion: 1.20.5 2023/10/05 15:54:31 Platform: linux 2023/10/05 15:54:31 libre2: C++ 2023/10/05 15:54:31 Constraint_parser: >= 1.0, <= 2.0 2023/10/05 15:54:31 Constraint_scenario: >= 1.0, < 3.0 2023/10/05 15:54:31 Constraint_api: v1 2023/10/05 15:54:31 Constraint_acquis: >= 1.0, < 2.0 ```

OS version

```console # On Linux: Ubuntu 22.04.3 LTS ```

Enabled collections and parsers

```console $ cscli collections list -o raw name,status,version,description crowdsecurity/auditd,"enabled,tainted",0.6,auditd support : parsers and scenarios crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection crowdsecurity/http-cve,enabled,2.1, crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection ```

Acquisition config

```console filenames: - /var/log/audit/*.log labels: type: auditd

Config show

```console $ cscli config show # paste output here ```

Prometheus metrics

```console $ cscli metrics # paste output here ```

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions[bot]]

@AlteredCoder: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.