From 3e895ab0dcb99d37973a22443250c2c117bc032a Mon Sep 17 00:00:00 2001 From: Brandon Myers Date: Mon, 4 Feb 2019 13:19:51 -0600 Subject: [PATCH] Allow search window type to be specified in generic deadman config --- alerts/deadman_generic.json | 6 ++++-- alerts/deadman_generic.py | 11 ++++++++--- tests/alerts/test_deadman_generic.py | 8 ++++---- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/alerts/deadman_generic.json b/alerts/deadman_generic.json index 9d0ec798..15557214 100644 --- a/alerts/deadman_generic.json +++ b/alerts/deadman_generic.json @@ -1,14 +1,16 @@ { "alerts": [ { + "description": "Sample Alert 1", "search_query": "ABC12345436", "time_window": "5", - "description": "Basic deadman" + "time_window_type": "minutes" }, { + "description": "Sample Alert 2", "search_query": "anotherterm", "time_window": "20", - "description": "Another deadman" + "time_window_type": "hours" } ] } \ No newline at end of file diff --git a/alerts/deadman_generic.py b/alerts/deadman_generic.py index b99fd0c2..85635660 100644 --- a/alerts/deadman_generic.py +++ b/alerts/deadman_generic.py @@ -15,7 +15,6 @@ class AlertDeadman_Generic(AlertTask): def main(self): self._config = self.parse_json_alert_config('deadman_generic.json') - for alert_cfg in self._config['alerts']: try: self.process_alert(alert_cfg) @@ -27,7 +26,9 @@ class AlertDeadman_Generic(AlertTask): def process_alert(self, alert_config): self.current_alert_time_window = int(alert_config['time_window']) - search_query = SearchQuery(minutes=self.current_alert_time_window) + self.current_alert_time_type = alert_config['time_window_type'] + search_query_time_window = {self.current_alert_time_type: self.current_alert_time_window} + search_query = SearchQuery(**search_query_time_window) search_query.add_must(QueryStringMatch(str(alert_config['search_query']))) self.filtersManual(search_query) self.searchEventsSimple() @@ -40,5 +41,9 @@ class AlertDeadman_Generic(AlertTask): tags = ['deadman'] severity = 'ERROR' - summary = "Deadman check failed for '{0}' the past {1} minutes".format(description, self.current_alert_time_window) + summary = "Deadman check failed for '{0}' the past {1} {2}".format( + description, + self.current_alert_time_window, + self.current_alert_time_type + ) return self.createAlertDict(summary, category, tags, [], severity=severity) diff --git a/tests/alerts/test_deadman_generic.py b/tests/alerts/test_deadman_generic.py index ee8a5e8b..3cfe7c03 100644 --- a/tests/alerts/test_deadman_generic.py +++ b/tests/alerts/test_deadman_generic.py @@ -32,7 +32,7 @@ class TestDeadman_Generic(AlertTestSuite): "category": "deadman", "tags": ['deadman'], "severity": "ERROR", - "summary": 'Deadman check failed for \'Basic deadman\' the past 5 minutes', + "summary": 'Deadman check failed for \'Sample Alert 1\' the past 5 minutes', } test_cases.append( PositiveAlertTestCase( @@ -51,7 +51,7 @@ class TestDeadman_Generic(AlertTestSuite): "category": "deadman", "tags": ['deadman'], "severity": "ERROR", - "summary": 'Deadman check failed for \'Another deadman\' the past 20 minutes', + "summary": 'Deadman check failed for \'Sample Alert 2\' the past 20 hours', } test_cases.append( PositiveAlertTestCase( @@ -86,8 +86,8 @@ class TestDeadman_Generic(AlertTestSuite): AlertTestSuite.create_event(matched_event_first), AlertTestSuite.create_event(matched_event_second) ] - events[1]['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 21}) - events[1]['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 21}) + events[1]['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'hours': 21}) + events[1]['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'hours': 21}) test_cases.append( PositiveAlertTestCase( description="Positive test case with events matching second alert configuration but are old",