[apps] Aliyun ActionTrail app

[GarretReece]

to: @airbnb/streamalert-maintainers
cc:
size: medium

Background

SteamAlert doesn't have an app that collects ActionTrail events from Aliyun

Changes

• Adds an app that collects ActionTrail events from Aliyun
• Schema definition for the new log type is included
• Unit tests for the app as well as schema validation tests are included
• Documentation for authorizing the app is included in the README in the apps directory as well as in a section of the app-configuration.rst in the docs directory

Testing

Barebones StreamAlert session created, the Aliyun app configured and deployed, and verifying that events are listed as captured in the log

[coveralls]

Coverage increased (+0.03%) to 97.418% when pulling 32a1757 on trailofbits:garret/actiontrail_app into fae89fb on airbnb:master.

[ryandeivert]

this is nice work!! added a few quick first round comments :)

[ryandeivert]

can you group this exception with the import above pls

[ryandeivert]

add an extra new line here please (2 lines between imports and class declarations)

[ryandeivert]

the _gather_logs method could be called a bunch of times in an execution - therefore, would it make sense to have the AcsClient created upon __init__ and cached as an instance property?

[ryandeivert]

These two except blocks could be consolidated into one with:

except (ServerException, ClientException) as err:
    LOGGER.exception("%s exception occurred", err.get_error_type())
    return False

also, there's no need to include the actual content of the exception (with str(e)) when using LOGGER.exception - this call handles all of that for you.

[ryandeivert]

please use single (') quotes on string literals and not double (") quotes

[chunyong-lin]

Small request, can we use set instead of list, it is not big a deal though.

[ryandeivert]

are there no restrictions similar to AWS for their access and secret keys? ie - AWS access keys are 20 alphanumeric all-caps characters and must start with A, etc

[GarretReece]

I can't find any documentation anywhere regarding the format. The values I have are a mix of digits and upper and lower case letters, with the id 16 characters in length and the secret 30 characters in length. I'm perfectly willing to put those in as restrictions, but I don't have any reference for that being the supported format.

[ryandeivert]

++ this is great

[ryandeivert]

I think if this is 0 it can be left off completely. I do like the context you've added in the docstring, though, so I'm not sure if I feel strongly about removing the method

[ryandeivert]

this is great - thank you for pinning the version!

[ryandeivert]

Looks like there's an extra new line here

[chunyong-lin]

Hey @GarretReece thanks for working on this App. It looks great too me. I added some comments.

[chunyong-lin]

Any reason we don't pull 100 results each time?

[GarretReece]

The documentation lists the range for the MaxResult parameter as 0-50; I'll admit I haven't tested with higher values to see if it worked anyhow.

[chunyong-lin]

Can I have one more testing request? Can you add a test case when NextToken is available in your testing environment? (I am not talking about unit test)

A while ago, I have a simple script to retrieve ActionTrail events, and set max results per request to 2. I encountered the issue that NextToken doesn't take effect, and the 2nd request returned as same events as 1st request recieved.
Can you verify this in the testing environment? Thanks!

[chunyong-lin]

actiontrail would be more descriptive.

[chunyong-lin]

Can you add these two packages to requirements-top-level.txt as well?

[GarretReece]

added them in!

[chunyong-lin]

Small request, can we use set instead of list, it is not big a deal though.

[chunyong-lin]

I think we also can cache request to __init__.

[chunyong-lin]

Remind to update schema name if you agree with me renaming _type to actiontrail.

[chunyong-lin]

LGTM! 🎉