Allow alerttask to exclude mozdefbot from severity

alerts/lib/alerttask.py

@@ -196,6 +196,15 @@ class AlertTask(Task):
         except Exception as e:
             self.log.error('Exception while pushing alert to ES: {0}'.format(e))
 
+    def tagBotNotify(self, alert):
+        """
+            Tag alert to be excluded based on severity
+        """
+        alert['notify_mozdefbot'] = True
+        if alert['severity'] == 'NOTICE' or alert['severity'] == 'INFO':
+            alert['notify_mozdefbot'] = False
+    return alert
+
     def saveAlertID(self, saved_alert):
         """
         Save alert to self so we can analyze it later
@@ -285,6 +294,7 @@ class AlertTask(Task):
             for i in self.events:
                 alert = self.onEvent(i, **kwargs)
                 if alert:
+                    alert = self.tagBotNotify(alert)
                     self.log.debug(alert)
                     alertResultES = self.alertToES(alert)
                     self.tagEventsAlert([i], alertResultES)
@@ -296,6 +306,7 @@ class AlertTask(Task):
         if len(self.events) == 0:
             alert = self.onNoEvent(**kwargs)
             if alert:
+                alert = self.tagBotNotify(alert)
                 self.log.debug(alert)
                 alertResultES = self.alertToES(alert)
                 self.alertToMessageQueue(alert)
@@ -312,8 +323,9 @@ class AlertTask(Task):
                 if aggregation['count'] >= threshold:
                     aggregation['config']=config
                     alert = self.onAggregation(aggregation)
-                    self.log.debug(alert)
                     if alert:
+                        alert = self.tagBotNotify(alert)
+                        self.log.debug(alert)
                         alertResultES = self.alertToES(alert)
                         # even though we only sample events in the alert
                         # tag all events as alerted to avoid re-alerting

bot/mozdefbot.py

@@ -308,6 +308,12 @@ class alertConsumer(ConsumerMixin):
                 logger.exception(
                     "alertworker exception: unknown body type received %r" % body)
                 return
+
+            if bodyDict['notify_mozdefbot'] is False:
+                # If the alert tells us to not notify, then don't post to IRC
+                message.ack()
+                return
+
             # process valid message
             # see where we send this alert
             ircchannel = options.alertircchannel
@@ -327,14 +333,8 @@ class alertConsumer(ConsumerMixin):
             if len(bodyDict['summary']) > 450:
                 sys.stdout.write('alert is more than 450 bytes, truncating\n')
                 bodyDict['summary'] = bodyDict['summary'][:450] + ' truncated...'
-            
+
-            #if the alert has a 'severity', only publish the alert if the severity is not NOTICE or INFO
+            self.ircBot.client.msg(ircchannel, formatAlert(bodyDict))
-            if 'severity' in bodyDict.keys():
-                if not ((bodyDict['severity'] == 'NOTICE') or (bodyDict['severity'] == 'INFO')):
-                    self.ircBot.client.msg(ircchannel, formatAlert(bodyDict))
-            #if the alert does not have a severity for some reason, go ahead and publish it
-            else:
-                self.ircBot.client.msg(ircchannel, formatAlert(bodyDict))
 
             message.ack()
         except ValueError as e: