def add_data(self, data): qk = self.rules.get('query_key') for event in data: if qk: key = hashable(lookup_es_key(event, qk)) else: # If no query_key, we use the key 'all' for all events key = 'all' self.cardinality_cache.setdefault(key, {}) self.first_event.setdefault(key, event[self.ts_field]) value = hashable(lookup_es_key(event, self.cardinality_field)) if value is not None: # Store this timestamp as most recent occurence of the term self.cardinality_cache[key][value] = event[self.ts_field] self.check_for_match(key, event)
def compare(self, event): key = hashable(lookup_es_key(event, self.rules['query_key'])) values = [] elastalert_logger.debug(" Previous Values of compare keys " + str(self.occurrences)) for val in self.rules['compound_compare_key']: lookup_value = lookup_es_key(event, val) values.append(lookup_value) elastalert_logger.debug(" Current Values of compare keys " + str(values)) changed = False for val in values: if not isinstance(val, bool) and not val and self.rules['ignore_null']: return False # If we have seen this key before, compare it to the new value if key in self.occurrences: for idx, previous_values in enumerate(self.occurrences[key]): elastalert_logger.debug(" " + str(previous_values) + " " + str(values[idx])) changed = previous_values != values[idx] if changed: break if changed: self.change_map[key] = (self.occurrences[key], values) # If using timeframe, only return true if the time delta is < timeframe if key in self.occurrence_time: changed = event[self.rules['timestamp_field']] - self.occurrence_time[key] <= self.rules['timeframe'] # Update the current value and time elastalert_logger.debug(" Setting current value of compare keys values " + str(values)) self.occurrences[key] = values if 'timeframe' in self.rules: self.occurrence_time[key] = event[self.rules['timestamp_field']] elastalert_logger.debug("Final result of comparision between previous and current values " + str(changed)) return changed
def compare(self, event): key = hashable(lookup_es_key(event, self.rules["query_key"])) val = lookup_es_key(event, self.rules["compare_key"]) if not val and self.rules["ignore_null"]: return False changed = False # If we have seen this key before, compare it to the new value if key in self.occurrences: changed = self.occurrences[key] != val if changed: self.change_map[key] = (self.occurrences[key], val) # If using timeframe, only return true if the time delta is < timeframe if key in self.occurrence_time: changed = ( event[self.rules["timestamp_field"]] - self.occurrence_time[key] <= self.rules["timeframe"] ) # Update the current value and time self.occurrences[key] = val if "timeframe" in self.rules: self.occurrence_time[key] = event[self.rules["timestamp_field"]] return changed
def compare(self, event): key = hashable(lookup_es_key(event, self.rules['query_key'])) val = lookup_es_key(event, self.rules['compare_key']) if not val and self.rules['ignore_null']: return False changed = False # If we have seen this key before, compare it to the new value if key in self.occurrences: changed = self.occurrences[key] != val if changed: self.change_map[key] = (self.occurrences[key], val) # If using timeframe, only return true if the time delta is < timeframe if key in self.occurrence_time: changed = event[ self.rules['timestamp_field']] - self.occurrence_time[ key] <= self.rules['timeframe'] # Update the current value and time self.occurrences[key] = val if 'timeframe' in self.rules: self.occurrence_time[key] = event[self.rules['timestamp_field']] return changed
def add_data(self, data): for event in data: qk = self.rules.get("query_key", "all") if qk != "all": qk = hashable(lookup_es_key(event, qk)) if qk is None: qk = "other" self.handle_event(event, 1, qk)
def add_data(self, data): for event in data: qk = self.rules.get('query_key', 'all') if qk != 'all': qk = hashable(lookup_es_key(event, qk)) if qk is None: qk = 'other' self.handle_event(event, 1, qk)
def add_match(self, match): # TODO this is not technically correct # if the term changes multiple times before an alert is sent # this data will be overwritten with the most recent change change = self.change_map.get(hashable(lookup_es_key(match, self.rules["query_key"]))) extra = {} if change: extra = {"old_value": change[0], "new_value": change[1]} super(ChangeRule, self).add_match(dict(match.items() + extra.items()))
def add_match(self, match): # TODO this is not technically correct # if the term changes multiple times before an alert is sent # this data will be overwritten with the most recent change change = self.change_map.get(hashable(lookup_es_key(match, self.rules['query_key']))) extra = {} if change: extra = {'old_value': change[0], 'new_value': change[1]} super(ChangeRule, self).add_match(dict(match.items() + extra.items()))
def add_match(self, match): # TODO this is not technically correct # if the term changes multiple times before an alert is sent # this data will be overwritten with the most recent change change = self.change_map.get(hashable(lookup_es_key(match, self.rules['query_key']))) extra = {} if change: extra = {'old_value': change[0], 'new_value': change[1]} elastalert_logger.debug("Description of the changed records " + str(dict(match.items() + extra.items()))) super(ChangeRule, self).add_match(dict(match.items() + extra.items()))
def add_data(self, data): if 'query_key' in self.rules: qk = self.rules['query_key'] else: qk = None for event in data: if qk: key = hashable(lookup_es_key(event, qk)) else: # If no query_key, we use the key 'all' for all events key = 'all' # Store the timestamps of recent occurrences, per key self.occurrences.setdefault(key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1)) self.check_for_match(key)
def add_data(self, data): if 'query_key' in self.rules: qk = self.rules['query_key'] else: qk = None for event in data: if qk: key = hashable(lookup_es_key(event, qk)) else: # If no query_key, we use the key 'all' for all events key = 'all' # Store the timestamps of recent occurrences, per key self.occurrences.setdefault(key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1)) # Only check for match _once_ after adding all the events discovered in this run # If the current running count is 1, and the threshold is 10, and we go to add 8 entries # it should only count as a single match, and not 8 consecutive ones. self.check_for_match(key)
def add_data(self, data): if 'query_key' in self.rules: qk = self.rules['query_key'] else: qk = None for event in data: if qk: key = hashable(lookup_es_key(event, qk)) else: # If no query_key, we use the key 'all' for all events key = 'all' # Store the timestamps of recent occurrences, per key self.occurrences.setdefault(key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1)) self.check_for_match(key, end=False) # We call this multiple times with the 'end' parameter because subclasses # may or may not want to check while only partial data has been added if key in self.occurrences: # could have been emptied by previous check self.check_for_match(key, end=True)
def add_data(self, data): if 'query_key' in self.rules: qk = self.rules['query_key'] else: qk = None for event in data: if qk: key = hashable(lookup_es_key(event, qk)) else: # If no query_key, we use the key 'all' for all events key = 'all' # Store the timestamps of recent occurrences, per key self.occurrences.setdefault( key, EventWindow(self.rules['timeframe'], getTimestamp=self.get_ts)).append((event, 1)) # Only check for match _once_ after adding all the events discovered in this run # If the current running count is 1, and the threshold is 10, and we go to add 8 entries # it should only count as a single match, and not 8 consecutive ones. self.check_for_match(key)