def create_incident(
organization,
type,
title,
query,
date_started,
date_detected=None,
detection_uuid=None,
projects=None,
groups=None,
user=None,
):
if date_detected is None:
date_detected = date_started
if groups:
group_projects = [g.project for g in groups]
if projects is None:
projects = []
projects = list(set(projects + group_projects))
with transaction.atomic():
incident = Incident.objects.create(
organization=organization,
detection_uuid=detection_uuid,
status=IncidentStatus.OPEN.value,
type=type.value,
title=title,
query=query,
date_started=date_started,
date_detected=date_detected,
)
if projects:
IncidentProject.objects.bulk_create([
IncidentProject(incident=incident, project=project)
for project in projects
])
if groups:
IncidentGroup.objects.bulk_create([
IncidentGroup(incident=incident, group=group)
for group in groups
])
if type == IncidentType.CREATED:
activity_status = IncidentActivityType.CREATED
else:
activity_status = IncidentActivityType.DETECTED
event_stats_snapshot = create_initial_event_stats_snapshot(incident)
create_incident_activity(
incident,
activity_status,
event_stats_snapshot=event_stats_snapshot,
user=user,
)
return incident
def create_incident(
organization,
type,
title,
query,
aggregation,
date_started,
date_detected=None,
# TODO: Probably remove detection_uuid?
detection_uuid=None,
projects=None,
groups=None,
user=None,
alert_rule=None,
):
if groups:
group_projects = [g.project for g in groups]
if projects is None:
projects = []
projects = list(set(projects + group_projects))
if date_detected is None:
date_detected = date_started
with transaction.atomic():
incident = Incident.objects.create(
organization=organization,
detection_uuid=detection_uuid,
status=IncidentStatus.OPEN.value,
type=type.value,
title=title,
query=query,
aggregation=aggregation.value,
date_started=date_started,
date_detected=date_detected,
alert_rule=alert_rule,
)
if projects:
IncidentProject.objects.bulk_create(
[IncidentProject(incident=incident, project=project) for project in projects]
)
if groups:
IncidentGroup.objects.bulk_create(
[IncidentGroup(incident=incident, group=group) for group in groups]
)
create_incident_activity(incident, IncidentActivityType.DETECTED, user=user)
analytics.record(
"incident.created",
incident_id=incident.id,
organization_id=incident.organization_id,
incident_type=type.value,
)
return incident
def create_incident(
organization,
status,
title,
query,
date_started,
date_detected=None,
detection_uuid=None,
projects=None,
groups=None,
):
if date_detected is None:
date_detected = date_started
if groups:
group_projects = [g.project for g in groups]
if projects is None:
projects = []
projects = list(set(projects + group_projects))
with transaction.atomic():
incident = Incident.objects.create(
organization=organization,
detection_uuid=detection_uuid,
status=status.value,
title=title,
query=query,
date_started=date_started,
date_detected=date_detected,
)
if projects:
IncidentProject.objects.bulk_create([
IncidentProject(incident=incident, project=project) for project in projects
])
if groups:
IncidentGroup.objects.bulk_create([
IncidentGroup(incident=incident, group=group) for group in groups
])
return incident
def create_incident(
organization,
type_,
title,
query,
aggregation,
date_started,
date_detected=None,
# TODO: Probably remove detection_uuid?
detection_uuid=None,
projects=None,
groups=None,
user=None,
alert_rule=None,
):
if groups:
group_projects = [g.project for g in groups]
if projects is None:
projects = []
projects = list(set(projects + group_projects))
if date_detected is None:
date_detected = date_started
with transaction.atomic():
incident = Incident.objects.create(
organization=organization,
detection_uuid=detection_uuid,
status=IncidentStatus.OPEN.value,
type=type_.value,
title=title,
query=query,
aggregation=aggregation.value,
date_started=date_started,
date_detected=date_detected,
alert_rule=alert_rule,
)
if projects:
incident_projects = [
IncidentProject(incident=incident, project=project)
for project in projects
]
IncidentProject.objects.bulk_create(incident_projects)
# `bulk_create` doesn't send `post_save` signals, so we manually fire them here.
for incident_project in incident_projects:
post_save.send(sender=type(incident_project),
instance=incident_project,
created=True)
if groups:
IncidentGroup.objects.bulk_create([
IncidentGroup(incident=incident, group=group)
for group in groups
])
create_incident_activity(incident,
IncidentActivityType.DETECTED,
user=user)
analytics.record(
"incident.created",
incident_id=incident.id,
organization_id=incident.organization_id,
incident_type=type_.value,
)
return incident
def create_incident(
organization,
type,
title,
query,
aggregation,
date_started=None,
date_detected=None,
# TODO: Probably remove detection_uuid?
detection_uuid=None,
projects=None,
groups=None,
user=None,
alert_rule=None,
):
if groups:
group_projects = [g.project for g in groups]
if projects is None:
projects = []
projects = list(set(projects + group_projects))
if date_started is None:
date_started = calculate_incident_start(query, projects, groups)
if date_detected is None:
date_detected = date_started
with transaction.atomic():
incident = Incident.objects.create(
organization=organization,
detection_uuid=detection_uuid,
status=IncidentStatus.OPEN.value,
type=type.value,
title=title,
query=query,
aggregation=aggregation.value,
date_started=date_started,
date_detected=date_detected,
alert_rule=alert_rule,
)
if projects:
IncidentProject.objects.bulk_create([
IncidentProject(incident=incident, project=project)
for project in projects
])
if groups:
IncidentGroup.objects.bulk_create([
IncidentGroup(incident=incident, group=group)
for group in groups
])
if type == IncidentType.CREATED:
activity_status = IncidentActivityType.CREATED
else:
activity_status = IncidentActivityType.DETECTED
event_stats_snapshot = create_initial_event_stats_snapshot(incident)
create_incident_activity(incident,
activity_status,
event_stats_snapshot=event_stats_snapshot,
user=user)
analytics.record(
"incident.created",
incident_id=incident.id,
organization_id=incident.organization_id,
incident_type=type.value,
)
tasks.calculate_incident_suspects.apply_async(
kwargs={"incident_id": incident.id})
return incident