Exemple #1
0
 def test_create_from_dynamo_record(self):
     """Alert Class - Create Alert from Dynamo Record"""
     alert = self._customized_alert()
     # Converting to a Dynamo record and back again should result in the exact same alert
     record = alert.dynamo_record()
     new_alert = Alert.create_from_dynamo_record(record)
     assert_equal(alert.dynamo_record(), new_alert.dynamo_record())
Exemple #2
0
    def _alert_generator(self, rule_name):
        """
        Returns a generator that yields Alert instances triggered from the given rule name.

        To limit memory consumption, the generator yields a maximum number of alerts, defined
        by self._alert_generator_limit.
        """
        generator = self.table.get_alert_records(rule_name,
                                                 self.alert_proc_timeout)
        for idx, record in enumerate(generator, start=1):
            try:
                yield Alert.create_from_dynamo_record(record)
            except AlertCreationError:
                LOGGER.exception('Invalid alert record %s', record)
                continue

            if idx >= self._alert_generator_limit:
                LOGGER.warning(
                    'Alert Merger reached alert limit of %d for rule "%s"',
                    self._alert_generator_limit, rule_name)
                return
Exemple #3
0
    def run(self, event):
        """Run the alert processor!

        Args:
            event (dict): Lambda invocation event containing at least the rule name and alert ID.

        Returns:
            dict: Maps output (str) to whether it sent successfully (bool).
                An empty dict is returned if the Alert was improperly formatted.
        """
        # Grab the alert record from Dynamo (if needed).
        if set(event) == {'AlertID', 'RuleName'}:
            LOGGER.info('Retrieving %s from alerts table', event)
            alert_record = self.alerts_table.get_alert_record(
                event['RuleName'], event['AlertID'])
            if not alert_record:
                LOGGER.error('%s does not exist in the alerts table', event)
                return {}
        else:
            alert_record = event

        # Convert record to an Alert instance.
        try:
            alert = Alert.create_from_dynamo_record(alert_record)
        except AlertCreationError:
            LOGGER.exception('Invalid alert %s', event)
            return {}

        # Remove normalization key from the record.
        # TODO: Consider including this in at least some outputs, e.g. default Athena firehose
        if Normalizer.NORMALIZATION_KEY in alert.record:
            del alert.record[Normalizer.NORMALIZATION_KEY]

        result = self._send_to_outputs(alert)
        self._update_table(alert, result)
        return result