Fixup geomodel location alert

alerts/geomodel/locality.py

@@ -140,9 +140,9 @@ def from_event(
     '''
 
     _source = event.get('_source', {})
-
+    _details = _source.get('details')
-    source_ip = _source.get('sourceipaddress')
+    source_ip = _details.get('sourceipaddress')
-    geo_data = _source.get('sourceipgeolocation')
+    geo_data = _details.get('sourceipgeolocation')
 
     if source_ip is None or geo_data is None:
         return None

alerts/geomodel_location.py

@@ -19,9 +19,6 @@ import geomodel.config as config
 import geomodel.locality as locality
 
 
-_DEFAULT_SUMMARY = 'Authenticated action taken by a user outside of any of '\
-    'their known localities.'
-
 _CONFIG_FILE = os.path.join(
     os.path.dirname(__file__),
     'geomodel_location.json')
@@ -37,6 +34,8 @@ class AlertGeoModel(AlertTask):
     def main(self):
         cfg = self._load_config()
 
+        if not self.es.index_exists('localities'):
+            self.es.create_index('localities')
         for query_index in range(len(cfg.events)):
             try:
                 self._process(cfg, query_index)
@@ -80,8 +79,15 @@ class AlertGeoModel(AlertTask):
 
         if new is not None:
             # TODO: When we update to Python 3.7+, change to asdict(alert_produced)
+            summary = "{0} is now active in {1},{2}. Previously {3},{4}".format(
+                username,
+                entry.state.localities[-1].city,
+                entry.state.localities[-1].country,
+                entry.state.localities[-2].city,
+                entry.state.localities[-2].country,
+            )
             alert_dict = self.createAlertDict(
-                _DEFAULT_SUMMARY,
+                summary,
                 'geomodel',
                 ['geomodel'],
                 events,

docker/compose/elasticsearch/files/elasticsearch.yml

@@ -5,7 +5,7 @@ discovery.type: single-node
 action.destructive_requires_name: true
 
 # Disable auto creation unless these indexes
-action.auto_create_index:  .watches,.triggered_watches,.watcher-history-*,.kibana_*
+action.auto_create_index:  .watches,.triggered_watches,.watcher-history-*,.kibana_*,localities
 
 # Add these to prevent requiring a user/pass and termination of ES when looking for "ingest" assignments.
 # The watcher directive allows for the deletion of failed watcher indices as they sometimes get created with glitches.

tests/alerts/test_geomodel_location.py

@@ -26,6 +26,7 @@ class TestAlertGeoModel(AlertTestSuite):
 
     default_event = {
         '_source': {
+            'details': {
                 'sourceipaddress': '1.2.3.4',
                 'sourceipgeolocation': {
                     'city': 'Toronto',
@@ -33,7 +34,6 @@ class TestAlertGeoModel(AlertTestSuite):
                     'latitude': 43.6529,
                     'longitude': -79.3849
                 },
-            'details': {
                 'username': 'tester1'
             },
             'tags': ['auth0']
@@ -42,6 +42,7 @@ class TestAlertGeoModel(AlertTestSuite):
 
     no_change_event = {
         '_source': {
+            'details': {
                 'sourceipaddress': '4.3.2.1',
                 'sourceipgeolocation': {
                     'city': 'Toronto',
@@ -49,7 +50,6 @@ class TestAlertGeoModel(AlertTestSuite):
                     'latitude': 43.6529,
                     'longitude': -79.3849
                 },
-            'details': {
                 'username': 'tester2'
             }
         }