def run_suppressions(squelch_name):
log.info(f"{squelch_name} processing...")
metadata = {
'QUERY_NAME': squelch_name,
'RUN_ID': RUN_ID,
'ATTEMPTS': 1,
'START_TIME': datetime.datetime.utcnow(),
}
ctx = db.connect()
try:
suppression_count = run_suppression_query(squelch_name)
log.info(f"{squelch_name} updated {suppression_count} rows.")
metadata['ROW_COUNT'] = {'SUPPRESSED': suppression_count}
log.metadata_record(ctx, metadata, table=QUERY_METADATA_TABLE)
except Exception as e:
log_failure(ctx, squelch_name, e)
metadata['ROW_COUNT'] = {'SUPPRESSED': 0}
log.metadata_record(ctx, metadata, table=QUERY_METADATA_TABLE, e=e)
METADATA_HISTORY.append(metadata)
log.info(f"{squelch_name} done.")
def get_rules():
if not hmac.compare_digest(request.cookies.get("sid", ""), SECRET):
return jsonify(rules=[])
rule_type = request.args.get('type', '%').upper()
rule_target = request.args.get('target', '%').upper()
logger.info(f'Fetching {rule_target}_{rule_type} rules...')
oauth = json.loads(request.headers.get('Authorization') or '{}')
if not oauth and not dbconfig.PRIVATE_KEY:
return jsonify(success=False, message='please log in')
ctx = db.connect(oauth=oauth, run_preflight_checks=False)
rules = db.fetch(ctx, f"SHOW VIEWS LIKE '%_{rule_target}\_{rule_type}' IN {RULES_SCHEMA};")
return jsonify(
rules=[
{
"title": re.sub('_(alert|violation|policy)_(query|suppression|definition)$', '', rule['name'], flags=re.I),
"target": rule['name'].split('_')[-2].upper(),
"type": rule['name'].split('_')[-1].upper(),
"body": rule['text'],
"results": (
list(db.fetch(ctx, f"SELECT * FROM {RULES_SCHEMA}.{rule['name']};"))
if rule['name'].endswith("_POLICY_DEFINITION")
else None
),
} for rule in rules if (
rule['name'].endswith("_ALERT_QUERY")
or rule['name'].endswith("_ALERT_SUPPRESSION")
or rule['name'].endswith("_VIOLATION_QUERY")
or rule['name'].endswith("_VIOLATION_SUPPRESSION")
or rule['name'].endswith("_POLICY_DEFINITION")
)
]
)
load_data(data['messages'])
if params['offset'] == 9900: # Maximum offset is 9900
params = {
'start_date': get_newest_timestamp(),
'limit': 100,
'offset': 0
}
elif len(data['messages']) == params[
'limit']: # if we got the limit of messages, get the next page
params['offset'] += params['limit']
else:
break
def main():
reqenv = {'AGARI_TOKEN', 'AGARI_SECRET', 'AGARI_TABLE'}
missingenv = reqenv - set(environ)
if missingenv:
log.fatal(f"missing env vars: {missingenv}")
for url in URLS:
process_endpoint(url)
if __name__ == '__main__':
if db.connect():
main()
def wrapper(*args, **kwargs):
oauth = json.loads(request.headers.get('Authorization') or '{}')
if not oauth and not dbconfig.PRIVATE_KEY:
return jsonify(success=False, message='please log in')
db.connect(oauth=oauth, set_cache=True)
return f(*args, **kwargs)
def setup():
db.connect()
db.execute(TEST_QUERY)
db.execute(TEST_SUPPRESSION)
db.execute(TEST_INVALID_QUERY)
def main():
ctx = db.connect()
alert_rows = list(get_new_alerts(ctx))
log.info(f'Found {len(alert_rows)} new alerts to handle.')
for alert_row in alert_rows:
alert = alert_row['ALERT']
results = []
handlers = alert.get('HANDLERS')
if handlers is None:
handlers = 'jira'
if isinstance(handlers, (str, dict)):
handlers = [handlers]
for handler in handlers:
if handler is None:
results.append(None)
else:
if type(handler) is str:
handler = {'type': handler}
if 'type' not in handler:
result = {
'success': False,
'error': 'missing type key',
'details': handler,
}
else:
handler_type = handler['type']
handler_kwargs = handler.copy()
handler_kwargs.update({
'alert':
alert,
'correlation_id':
alert_row.get('CORRELATION_ID'),
'alert_count':
alert_row['COUNTER'],
})
try:
handler_module = importlib.import_module(
f'runners.handlers.{handler_type}')
result = {
'success':
True,
'details':
apply_some(handler_module.handle,
**handler_kwargs),
}
except Exception as e:
result = {'success': False, 'details': e}
results.append(result)
record_status(results, alert['ALERT_ID'])
try:
if CLOUDWATCH_METRICS:
log.metric('Run', 'SnowAlert', [{
'Name': 'Component',
'Value': 'Alert Handler'
}], 1)
except Exception as e:
log.error("Cloudwatch metric logging failed", e)