Fix alerts and tests for new cloudtrail event format

2017-11-15 17:22:01 -06:00 · 2017-11-15 17:22:01 -06:00 · 02c3fa175f
--- a/alerts/cloudtrail_logging_disabled.py
+++ b/alerts/cloudtrail_logging_disabled.py
@ -18,10 +18,10 @@ class AlertCloudtrailLoggingDisabled(AlertTask):

        search_query.add_must([
            TermMatch('_type', 'cloudtrail'),
-            TermMatch('eventName', 'StopLogging'),
+            TermMatch('details.eventName', 'StopLogging'),
        ])

-        search_query.add_must_not(TermMatch('errorCode', 'AccessDenied'))
+        search_query.add_must_not(TermMatch('details.errorCode', 'AccessDenied'))

        self.filtersManual(search_query)
        self.searchEventsSimple()
@ -32,6 +32,6 @@ class AlertCloudtrailLoggingDisabled(AlertTask):
        tags = ['cloudtrail', 'aws', 'cloudtrailpagerduty']
        severity = 'CRITICAL'

-        summary = 'Cloudtrail Logging Disabled: ' + event['_source']['requestParameters']['name']
+        summary = 'Cloudtrail Logging Disabled: ' + event['_source']['details']['requestParameters']['name']

        return self.createAlertDict(summary, category, tags, [event], severity)
--- a/tests/alerts/test_cloudtrail_deadman.py
+++ b/tests/alerts/test_cloudtrail_deadman.py
@ -13,7 +13,9 @@ class TestAlertCloudtrailDeadman(AlertTestSuite):
    default_event = {
        "_type": "cloudtrail",
        "_source": {
-            "eventName": "somename"
+            "details": {
+                "eventName": "somename"
+            }
        }
    }

--- a/tests/alerts/test_cloudtrail_logging_disabled.py
+++ b/tests/alerts/test_cloudtrail_logging_disabled.py
@ -12,9 +12,11 @@ class TestAlertCloudtrailLoggingDisabled(AlertTestSuite):
    default_event = {
        "_type": "cloudtrail",
        "_source": {
-            "eventName": "StopLogging",
-            "requestParameters": {
-                "name": "cloudtrail_example_name"
+            "details": {
+               "eventName": "StopLogging",
+                "requestParameters": {
+                    "name": "cloudtrail_example_name"
+                }
            }
        }
    }
@ -59,7 +61,7 @@ class TestAlertCloudtrailLoggingDisabled(AlertTestSuite):
    )

    event = AlertTestSuite.create_event(default_event)
-    event['_source']['eventName'] = 'Badeventname'
+    event['_source']['details']['eventName'] = 'Badeventname'
    test_cases.append(
        NegativeAlertTestCase(
            description="Negative test case with bad eventName",
@ -78,7 +80,7 @@ class TestAlertCloudtrailLoggingDisabled(AlertTestSuite):
    )

    event = AlertTestSuite.create_event(default_event)
-    event['_source']['errorCode'] = 'AccessDenied'
+    event['_source']['details']['errorCode'] = 'AccessDenied'
    test_cases.append(
        NegativeAlertTestCase(
            description="Negative test case with excluding errorCode",