This repository has been archived by the owner on Nov 3, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 329
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding new triagebot escalation alert (#1666)
* adding new triagebot escalation alert * changing critical to info for pre-release
- Loading branch information
Showing
5 changed files
with
138 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[options] | ||
url = https://www.mozilla.org | ||
severity = INFO |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#!/usr/bin/env python | ||
|
||
# This Source Code Form is subject to the terms of the Mozilla Public | ||
# License, v. 2.0. If a copy of the MPL was not distributed with this | ||
# file, You can obtain one at https://mozilla.org/MPL/2.0/. | ||
# Copyright (c) 2017 Mozilla Corporation | ||
|
||
from lib.alerttask import AlertTask | ||
from mozdef_util.query_models import SearchQuery, TermMatch, ExistsMatch | ||
|
||
|
||
class AlertTriageBotEscalation(AlertTask): | ||
def main(self): | ||
self.parse_config('triagebot_escalation.conf', ['url', 'severity']) | ||
|
||
search_query = SearchQuery(minutes=15) | ||
|
||
search_query.add_must([ | ||
TermMatch('category', 'triagebot'), | ||
TermMatch('details.userresponse', 'no'), | ||
ExistsMatch('details.email'), | ||
ExistsMatch('details.identifier') | ||
]) | ||
|
||
self.filtersManual(search_query) | ||
|
||
# Search events | ||
self.searchEventsSimple() | ||
self.walkEvents() | ||
|
||
# Set alert properties | ||
def onEvent(self, event): | ||
msg = event['_source'] | ||
category = 'access' | ||
tags = ['ssh_critical_host_login_escalation', 'pagerduty', 'triagebot'] | ||
severity = self.config.severity | ||
url = self.config.url | ||
|
||
# the summary of the alert is the same as the event | ||
summary = "TriageBot Escalation for event: {0} sent to PagerDuty per 'NO' response from User: {1}".format(msg['details']['identifier'], msg['details']['email']) | ||
|
||
# Create the alert object based on these properties | ||
return self.createAlertDict(summary, category, tags, [event], severity, url) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
# This Source Code Form is subject to the terms of the Mozilla Public | ||
# License, v. 2.0. If a copy of the MPL was not distributed with this | ||
# file, You can obtain one at https://mozilla.org/MPL/2.0/. | ||
# Copyright (c) 2017 Mozilla Corporation | ||
|
||
from .positive_alert_test_case import PositiveAlertTestCase | ||
from .negative_alert_test_case import NegativeAlertTestCase | ||
|
||
from .alert_test_suite import AlertTestSuite | ||
|
||
|
||
class TestAlertTriageBotEscalation(AlertTestSuite): | ||
alert_filename = "triagebot_escalation" | ||
alert_classname = 'AlertTriageBotEscalation' | ||
|
||
# This event is the default positive event that will cause the | ||
# alert to trigger | ||
default_event = { | ||
"_source": { | ||
"hostname": "UNKNOWN", | ||
"details": { | ||
"identifier": "UdEkkIEJFXEy54grVnfy", | ||
"identityConfidence": "low", | ||
"email": "test@testerson.com", | ||
"slack": "U4J8Z3DJT", | ||
"userresponse": "no" | ||
}, | ||
"category": "triagebot", | ||
"summary": "TriageBot Response: no from: test@testerson.com" | ||
} | ||
} | ||
|
||
# This alert is the expected result from running this task | ||
default_alert = { | ||
"category": "access", | ||
"severity": "INFO", | ||
"summary": "TriageBot Escalation for event: UdEkkIEJFXEy54grVnfy sent to PagerDuty per 'NO' response from User: test@testerson.com", | ||
"tags": ['ssh_critical_host_login_escalation', 'pagerduty', 'triagebot'], | ||
} | ||
|
||
test_cases = [] | ||
|
||
test_cases.append( | ||
PositiveAlertTestCase( | ||
description="Positive test with default event and default alert expected", | ||
events=AlertTestSuite.create_events(default_event, 1), | ||
expected_alert=default_alert | ||
) | ||
) | ||
|
||
event = AlertTestSuite.create_event(default_event) | ||
event['_source']['details']['identifier'] = 'AbDpsIOPERXEy54grVnfy' | ||
alert = AlertTestSuite.create_alert(default_alert) | ||
alert['summary'] = "TriageBot Escalation for event: AbDpsIOPERXEy54grVnfy sent to PagerDuty per 'NO' response from User: test@testerson.com" | ||
test_cases.append( | ||
PositiveAlertTestCase( | ||
description="Positive test with different event_id in the summary", | ||
events=[event], | ||
expected_alert=alert | ||
) | ||
) | ||
|
||
event = AlertTestSuite.create_event(default_event) | ||
event['_source']['details']['userresponse'] = 'yes' | ||
test_cases.append( | ||
NegativeAlertTestCase( | ||
description="Negative test with events with a user response of 'yes'", | ||
events=[event], | ||
) | ||
) | ||
|
||
event = AlertTestSuite.create_event(default_event) | ||
event['_source']['details']['email'] = None | ||
test_cases.append( | ||
NegativeAlertTestCase( | ||
description="Negative test case email key excluded", | ||
events=[event], | ||
) | ||
) | ||
|
||
event = AlertTestSuite.create_event(default_event) | ||
event['_source']['category'] = 'bad' | ||
test_cases.append( | ||
NegativeAlertTestCase( | ||
description="Negative test case with bad category key", | ||
events=[event], | ||
) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters