Exemplo n.º 1
0
def create_incident(
    organization,
    type,
    title,
    query,
    date_started,
    date_detected=None,
    detection_uuid=None,
    projects=None,
    groups=None,
    user=None,
):
    if date_detected is None:
        date_detected = date_started

    if groups:
        group_projects = [g.project for g in groups]
        if projects is None:
            projects = []
        projects = list(set(projects + group_projects))

    with transaction.atomic():
        incident = Incident.objects.create(
            organization=organization,
            detection_uuid=detection_uuid,
            status=IncidentStatus.OPEN.value,
            type=type.value,
            title=title,
            query=query,
            date_started=date_started,
            date_detected=date_detected,
        )
        if projects:
            IncidentProject.objects.bulk_create([
                IncidentProject(incident=incident, project=project)
                for project in projects
            ])
        if groups:
            IncidentGroup.objects.bulk_create([
                IncidentGroup(incident=incident, group=group)
                for group in groups
            ])

        if type == IncidentType.CREATED:
            activity_status = IncidentActivityType.CREATED
        else:
            activity_status = IncidentActivityType.DETECTED

        event_stats_snapshot = create_initial_event_stats_snapshot(incident)
        create_incident_activity(
            incident,
            activity_status,
            event_stats_snapshot=event_stats_snapshot,
            user=user,
        )
    return incident
Exemplo n.º 2
0
def create_incident(
    organization,
    type,
    title,
    query,
    aggregation,
    date_started,
    date_detected=None,
    # TODO: Probably remove detection_uuid?
    detection_uuid=None,
    projects=None,
    groups=None,
    user=None,
    alert_rule=None,
):
    if groups:
        group_projects = [g.project for g in groups]
        if projects is None:
            projects = []
        projects = list(set(projects + group_projects))

    if date_detected is None:
        date_detected = date_started

    with transaction.atomic():
        incident = Incident.objects.create(
            organization=organization,
            detection_uuid=detection_uuid,
            status=IncidentStatus.OPEN.value,
            type=type.value,
            title=title,
            query=query,
            aggregation=aggregation.value,
            date_started=date_started,
            date_detected=date_detected,
            alert_rule=alert_rule,
        )
        if projects:
            IncidentProject.objects.bulk_create(
                [IncidentProject(incident=incident, project=project) for project in projects]
            )
        if groups:
            IncidentGroup.objects.bulk_create(
                [IncidentGroup(incident=incident, group=group) for group in groups]
            )

        create_incident_activity(incident, IncidentActivityType.DETECTED, user=user)
        analytics.record(
            "incident.created",
            incident_id=incident.id,
            organization_id=incident.organization_id,
            incident_type=type.value,
        )

    return incident
Exemplo n.º 3
0
def create_incident(
    organization,
    status,
    title,
    query,
    date_started,
    date_detected=None,
    detection_uuid=None,
    projects=None,
    groups=None,
):
    if date_detected is None:
        date_detected = date_started

    if groups:
        group_projects = [g.project for g in groups]
        if projects is None:
            projects = []
        projects = list(set(projects + group_projects))

    with transaction.atomic():
        incident = Incident.objects.create(
            organization=organization,
            detection_uuid=detection_uuid,
            status=status.value,
            title=title,
            query=query,
            date_started=date_started,
            date_detected=date_detected,
        )
        if projects:
            IncidentProject.objects.bulk_create([
                IncidentProject(incident=incident, project=project) for project in projects
            ])
        if groups:
            IncidentGroup.objects.bulk_create([
                IncidentGroup(incident=incident, group=group) for group in groups
            ])
    return incident
Exemplo n.º 4
0
def create_incident(
    organization,
    type_,
    title,
    query,
    aggregation,
    date_started,
    date_detected=None,
    # TODO: Probably remove detection_uuid?
    detection_uuid=None,
    projects=None,
    groups=None,
    user=None,
    alert_rule=None,
):
    if groups:
        group_projects = [g.project for g in groups]
        if projects is None:
            projects = []
        projects = list(set(projects + group_projects))

    if date_detected is None:
        date_detected = date_started

    with transaction.atomic():
        incident = Incident.objects.create(
            organization=organization,
            detection_uuid=detection_uuid,
            status=IncidentStatus.OPEN.value,
            type=type_.value,
            title=title,
            query=query,
            aggregation=aggregation.value,
            date_started=date_started,
            date_detected=date_detected,
            alert_rule=alert_rule,
        )
        if projects:
            incident_projects = [
                IncidentProject(incident=incident, project=project)
                for project in projects
            ]
            IncidentProject.objects.bulk_create(incident_projects)
            # `bulk_create` doesn't send `post_save` signals, so we manually fire them here.
            for incident_project in incident_projects:
                post_save.send(sender=type(incident_project),
                               instance=incident_project,
                               created=True)

        if groups:
            IncidentGroup.objects.bulk_create([
                IncidentGroup(incident=incident, group=group)
                for group in groups
            ])

        create_incident_activity(incident,
                                 IncidentActivityType.DETECTED,
                                 user=user)
        analytics.record(
            "incident.created",
            incident_id=incident.id,
            organization_id=incident.organization_id,
            incident_type=type_.value,
        )

    return incident
Exemplo n.º 5
0
def create_incident(
    organization,
    type,
    title,
    query,
    aggregation,
    date_started=None,
    date_detected=None,
    # TODO: Probably remove detection_uuid?
    detection_uuid=None,
    projects=None,
    groups=None,
    user=None,
    alert_rule=None,
):
    if groups:
        group_projects = [g.project for g in groups]
        if projects is None:
            projects = []
        projects = list(set(projects + group_projects))

    if date_started is None:
        date_started = calculate_incident_start(query, projects, groups)

    if date_detected is None:
        date_detected = date_started

    with transaction.atomic():
        incident = Incident.objects.create(
            organization=organization,
            detection_uuid=detection_uuid,
            status=IncidentStatus.OPEN.value,
            type=type.value,
            title=title,
            query=query,
            aggregation=aggregation.value,
            date_started=date_started,
            date_detected=date_detected,
            alert_rule=alert_rule,
        )
        if projects:
            IncidentProject.objects.bulk_create([
                IncidentProject(incident=incident, project=project)
                for project in projects
            ])
        if groups:
            IncidentGroup.objects.bulk_create([
                IncidentGroup(incident=incident, group=group)
                for group in groups
            ])

        if type == IncidentType.CREATED:
            activity_status = IncidentActivityType.CREATED
        else:
            activity_status = IncidentActivityType.DETECTED

        event_stats_snapshot = create_initial_event_stats_snapshot(incident)
        create_incident_activity(incident,
                                 activity_status,
                                 event_stats_snapshot=event_stats_snapshot,
                                 user=user)
        analytics.record(
            "incident.created",
            incident_id=incident.id,
            organization_id=incident.organization_id,
            incident_type=type.value,
        )

    tasks.calculate_incident_suspects.apply_async(
        kwargs={"incident_id": incident.id})
    return incident