update scaffold for alert write env

2019-05-19 11:04:07 -07:00 · 2019-05-19 11:04:07 -07:00 · 16f4c5a132
--- a/cloudy_mozdef/lambda_layer/lambdalert.py
+++ b/cloudy_mozdef/lambda_layer/lambdalert.py
@ -5,20 +5,40 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 # Copyright (c) 2017 Mozilla Corporation

+import logging
+import sys
 from lib.alerttask import AlertTask
 from mozdef_util.query_models import SearchQuery, TermMatch


+logger = logging.getLogger(__name__)
+
+
+def setup_logging():
+    logger = logging.getLogger()
+    h = logging.StreamHandler(sys.stdout)
+    logger.setLevel(logging.DEBUG)
+    return logger
+
+
 class AlertCloudtrailLoggingDisabled(AlertTask):
+    def _configureKombu(self):
+        """Override the normal behavior of this in order to run in lambda."""
+        pass
+
+    def alertToMessageQueue(self, alertDict):
+        """Override the normal behavior of this in order to run in lambda."""
+        pass
+
    def main(self):
-        search_query = SearchQuery(minutes=30)
+        # How many minutes back in time would you like to search?
+        search_query = SearchQuery(minutes=15)

-        search_query.add_must([
-            TermMatch('source', 'cloudtrail'),
-            TermMatch('details.eventname', 'StopLogging')
-        ])
-
-        search_query.add_must_not(TermMatch('errorcode', 'AccessDenied'))
+        # What would you like to search for?
+        # search_query.add_must([
+        #    TermMatch('source', 'cloudtrail'),
+        #    TermMatch('details.eventname', 'DescribeTable')
+        # ])

        self.filtersManual(search_query)
        self.searchEventsSimple()
@ -26,14 +46,21 @@ class AlertCloudtrailLoggingDisabled(AlertTask):

    def onEvent(self, event):
        category = 'AWSCloudtrail'
+
+        # Useful tag and severity rankings for your alert.
        tags = ['cloudtrail', 'aws', 'cloudtrailpagerduty']
        severity = 'CRITICAL'

-        summary = 'Cloudtrail Logging Disabled: ' + event['_source']['details']['requestparameters']['name']
+        # What message should surface in the user interface when this fires?
+        summary = 'The alert fired!'

        return self.createAlertDict(summary, category, tags, [event], severity)

+        # Learn more about MozDef alerts by exploring the "Alert class!"
+

 def handle(event, context):
+    logger = setup_logging()
+    logger.debug('Function initialized.')
    a = AlertCloudtrailLoggingDisabled()
    return a.main()