Allow alerttask to exclude mozdefbot from severity

2017-06-21 18:31:16 -05:00 · 2017-06-21 18:31:16 -05:00 · 95b4b28a08
--- a/alerts/lib/alerttask.py
+++ b/alerts/lib/alerttask.py
@ -196,6 +196,15 @@ class AlertTask(Task):
        except Exception as e:
            self.log.error('Exception while pushing alert to ES: {0}'.format(e))

+    def tagBotNotify(self, alert):
+        """
+            Tag alert to be excluded based on severity
+        """
+        alert['notify_mozdefbot'] = True
+        if alert['severity'] == 'NOTICE' or alert['severity'] == 'INFO':
+            alert['notify_mozdefbot'] = False
+    return alert
+
    def saveAlertID(self, saved_alert):
        """
        Save alert to self so we can analyze it later
@ -285,6 +294,7 @@ class AlertTask(Task):
            for i in self.events:
                alert = self.onEvent(i, **kwargs)
                if alert:
+                    alert = self.tagBotNotify(alert)
                    self.log.debug(alert)
                    alertResultES = self.alertToES(alert)
                    self.tagEventsAlert([i], alertResultES)
@ -296,6 +306,7 @@ class AlertTask(Task):
        if len(self.events) == 0:
            alert = self.onNoEvent(**kwargs)
            if alert:
+                alert = self.tagBotNotify(alert)
                self.log.debug(alert)
                alertResultES = self.alertToES(alert)
                self.alertToMessageQueue(alert)
@ -312,8 +323,9 @@ class AlertTask(Task):
                if aggregation['count'] >= threshold:
                    aggregation['config']=config
                    alert = self.onAggregation(aggregation)
-                    self.log.debug(alert)
                    if alert:
+                        alert = self.tagBotNotify(alert)
+                        self.log.debug(alert)
                        alertResultES = self.alertToES(alert)
                        # even though we only sample events in the alert
                        # tag all events as alerted to avoid re-alerting
--- a/bot/mozdefbot.py
+++ b/bot/mozdefbot.py
@ -308,6 +308,12 @@ class alertConsumer(ConsumerMixin):
                logger.exception(
                    "alertworker exception: unknown body type received %r" % body)
                return
+
+            if bodyDict['notify_mozdefbot'] is False:
+                # If the alert tells us to not notify, then don't post to IRC
+                message.ack()
+                return
+
            # process valid message
            # see where we send this alert
            ircchannel = options.alertircchannel
@ -327,14 +333,8 @@ class alertConsumer(ConsumerMixin):
            if len(bodyDict['summary']) > 450:
                sys.stdout.write('alert is more than 450 bytes, truncating\n')
                bodyDict['summary'] = bodyDict['summary'][:450] + ' truncated...'
-            
-            #if the alert has a 'severity', only publish the alert if the severity is not NOTICE or INFO
-            if 'severity' in bodyDict.keys():
-                if not ((bodyDict['severity'] == 'NOTICE') or (bodyDict['severity'] == 'INFO')):
-                    self.ircBot.client.msg(ircchannel, formatAlert(bodyDict))
-            #if the alert does not have a severity for some reason, go ahead and publish it
-            else:
-                self.ircBot.client.msg(ircchannel, formatAlert(bodyDict))
+
+            self.ircBot.client.msg(ircchannel, formatAlert(bodyDict))

            message.ack()
        except ValueError as e: