From d2f7175f06eae8acf7d78ab0f8d7724a214beab5 Mon Sep 17 00:00:00 2001 From: skyghost2210 Date: Tue, 18 Aug 2020 16:24:43 +0700 Subject: [PATCH 1/3] Add support for HTTP POST encryption ( using JWT ) --- docs/source/ruletypes.rst | 37 ++ elastalert/alerts.py | 1114 +++++++++++++++++++++++++++---------- elastalert/loaders.py | 1 + setup.py | 3 +- 4 files changed, 859 insertions(+), 296 deletions(-) diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst index a947a77b7..62c72f8b6 100644 --- a/docs/source/ruletypes.rst +++ b/docs/source/ruletypes.rst @@ -2164,6 +2164,43 @@ Example usage:: http_post_headers: authorization: Basic 123dr3234 +HTTP JWT POST +~~~~~~~~~~~~~ + +This alert type will send results to a JSON endpoint encrypted with JWT using HTTP POST. The key names are configurable so this is compatible with almost any endpoint. By default, the JSON encrypted with JWT will contain all the items from the match, unless you specify http_post_payload, in which case it will only contain those items. + +Required: + +``http_post_url``: The URL to POST. +``http_post_jwt_key``: The secret key +``http_post_jwt_algorithm``: The encrypt algorithm + +Optional: + +``http_post_payload``: List of keys:values to use as the content of the POST. Example - ip:clientip will map the value from the clientip index of Elasticsearch to JSON key named ip. If not defined, all the Elasticsearch keys will be sent. + +``http_post_static_payload``: Key:value pairs of static parameters to be sent, along with the Elasticsearch results. Put your authentication or other information here. + +``http_post_headers``: Key:value pairs of headers to be sent as part of the request. + +``http_post_proxy``: URL of proxy, if required. + +``http_post_all_values``: Boolean of whether or not to include every key value pair from the match in addition to those in http_post_payload and http_post_static_payload. Defaults to True if http_post_payload is not specified, otherwise False. + +``http_post_timeout``: The timeout value, in seconds, for making the post. The default is 10. If a timeout occurs, the alert will be retried next time elastalert cycles. + +Example usage:: + + alert: jwt_post + http_post_jwt_key: "secret" + http_post_jwt_algorithm: "HS256" + http_post_url: "http://example.com/api" + http_post_payload: + ip: clientip + http_post_static_payload: + apikey: abc123 + http_post_headers: + authorization: Basic 123dr3234 Alerter ~~~~~~~ diff --git a/elastalert/alerts.py b/elastalert/alerts.py index d3fa7518f..8749e5d4e 100644 --- a/elastalert/alerts.py +++ b/elastalert/alerts.py @@ -2,6 +2,7 @@ import copy import datetime import json +import jwt import logging import os import re @@ -65,7 +66,9 @@ def _add_custom_alert_text(self): alert_text = str(self.rule.get('alert_text', '')) if 'alert_text_args' in self.rule: alert_text_args = self.rule.get('alert_text_args') - alert_text_values = [lookup_es_key(self.match, arg) for arg in alert_text_args] + alert_text_values = [ + lookup_es_key(self.match, arg) for arg in alert_text_args + ] # Support referencing other top-level rule properties # This technically may not work if there is a top-level rule property with the same name @@ -76,7 +79,9 @@ def _add_custom_alert_text(self): if alert_value: alert_text_values[i] = alert_value - alert_text_values = [missing if val is None else val for val in alert_text_values] + alert_text_values = [ + missing if val is None else val for val in alert_text_values + ] alert_text = alert_text.format(*alert_text_values) elif 'alert_text_kw' in self.rule: kw = {} @@ -130,10 +135,19 @@ def _add_match_items(self): def _pretty_print_as_json(self, blob): try: - return json.dumps(blob, cls=DateTimeEncoder, sort_keys=True, indent=4, ensure_ascii=False) + return json.dumps( + blob, cls=DateTimeEncoder, sort_keys=True, indent=4, ensure_ascii=False + ) except UnicodeDecodeError: # This blob contains non-unicode, so lets pretend it's Latin-1 to show something - return json.dumps(blob, cls=DateTimeEncoder, sort_keys=True, indent=4, encoding='Latin-1', ensure_ascii=False) + return json.dumps( + blob, + cls=DateTimeEncoder, + sort_keys=True, + indent=4, + encoding='Latin-1', + ensure_ascii=False, + ) def __str__(self): self.text = '' @@ -154,7 +168,13 @@ def __str__(self): class JiraFormattedMatchString(BasicMatchString): def _add_match_items(self): - match_items = dict([(x, y) for x, y in list(self.match.items()) if not x.startswith('top_events_')]) + match_items = dict( + [ + (x, y) + for x, y in list(self.match.items()) + if not x.startswith('top_events_') + ] + ) json_blob = self._pretty_print_as_json(match_items) preformatted_text = '{{code}}{0}{{code}}'.format(json_blob) self.text += preformatted_text @@ -165,6 +185,7 @@ class Alerter(object): :param rule: The rule configuration. """ + required_options = frozenset([]) def __init__(self, rule): @@ -193,7 +214,11 @@ def resolve_rule_references(self, root): def resolve_rule_reference(self, value): strValue = str(value) - if strValue.startswith('$') and strValue.endswith('$') and strValue[1:-1] in self.rule: + if ( + strValue.startswith('$') + and strValue.endswith('$') + and strValue[1:-1] in self.rule + ): if type(value) == int: return int(self.rule[strValue[1:-1]]) else: @@ -229,7 +254,9 @@ def create_custom_title(self, matches): if 'alert_subject_args' in self.rule: alert_subject_args = self.rule['alert_subject_args'] - alert_subject_values = [lookup_es_key(matches[0], arg) for arg in alert_subject_args] + alert_subject_values = [ + lookup_es_key(matches[0], arg) for arg in alert_subject_args + ] # Support referencing other top-level rule properties # This technically may not work if there is a top-level rule property with the same name @@ -241,7 +268,9 @@ def create_custom_title(self, matches): alert_subject_values[i] = alert_value missing = self.rule.get('alert_missing_value', '') - alert_subject_values = [missing if val is None else val for val in alert_subject_values] + alert_subject_values = [ + missing if val is None else val for val in alert_subject_values + ] alert_subject = alert_subject.format(*alert_subject_values) if len(alert_subject) > alert_subject_max_len: @@ -275,7 +304,9 @@ def get_aggregation_summary_text(self, matches): text += "Aggregation resulted in the following data for summary_table_fields ==> {0}:\n\n".format( summary_table_fields_with_count ) - text_table = Texttable(max_width=self.get_aggregation_summary_text__maximum_width()) + text_table = Texttable( + max_width=self.get_aggregation_summary_text__maximum_width() + ) text_table.header(summary_table_fields_with_count) # Format all fields as 'text' to avoid long numbers being shown as scientific notation text_table.set_cols_dtype(['t' for i in summary_table_fields_with_count]) @@ -283,7 +314,9 @@ def get_aggregation_summary_text(self, matches): # Maintain an aggregate count for each unique key encountered in the aggregation period for match in matches: - key_tuple = tuple([str(lookup_es_key(match, key)) for key in summary_table_fields]) + key_tuple = tuple( + [str(lookup_es_key(match, key)) for key in summary_table_fields] + ) if key_tuple not in match_aggregation: match_aggregation[key_tuple] = 1 else: @@ -306,7 +339,9 @@ def get_account(self, account_file): if os.path.isabs(account_file): account_file_path = account_file else: - account_file_path = os.path.join(os.path.dirname(self.rule['rule_file']), account_file) + account_file_path = os.path.join( + os.path.dirname(self.rule['rule_file']), account_file + ) account_conf = yaml_loader(account_file_path) if 'user' not in account_conf or 'password' not in account_conf: raise EAException('Account file must have user and password fields') @@ -316,8 +351,10 @@ def get_account(self, account_file): class StompAlerter(Alerter): """ The stomp alerter publishes alerts via stomp to a broker. """ + required_options = frozenset( - ['stomp_hostname', 'stomp_hostport', 'stomp_login', 'stomp_password']) + ['stomp_hostname', 'stomp_hostport', 'stomp_login', 'stomp_password'] + ) def alert(self, matches): alerts = [] @@ -333,21 +370,40 @@ def alert(self, matches): if resmatch is not None: elastalert_logger.info( - 'Alert for %s, %s at %s:' % (self.rule['name'], resmatch, lookup_es_key(match, self.rule['timestamp_field']))) + 'Alert for %s, %s at %s:' + % ( + self.rule['name'], + resmatch, + lookup_es_key(match, self.rule['timestamp_field']), + ) + ) alerts.append( - 'Alert for %s, %s at %s:' % (self.rule['name'], resmatch, lookup_es_key( - match, self.rule['timestamp_field'])) + 'Alert for %s, %s at %s:' + % ( + self.rule['name'], + resmatch, + lookup_es_key(match, self.rule['timestamp_field']), + ) ) fullmessage['match'] = resmatch else: - elastalert_logger.info('Rule %s generated an alert at %s:' % ( - self.rule['name'], lookup_es_key(match, self.rule['timestamp_field']))) + elastalert_logger.info( + 'Rule %s generated an alert at %s:' + % ( + self.rule['name'], + lookup_es_key(match, self.rule['timestamp_field']), + ) + ) alerts.append( - 'Rule %s generated an alert at %s:' % (self.rule['name'], lookup_es_key( - match, self.rule['timestamp_field'])) + 'Rule %s generated an alert at %s:' + % ( + self.rule['name'], + lookup_es_key(match, self.rule['timestamp_field']), + ) ) fullmessage['match'] = lookup_es_key( - match, self.rule['timestamp_field']) + match, self.rule['timestamp_field'] + ) elastalert_logger.info(str(BasicMatchString(self.rule, match))) fullmessage['alerts'] = alerts @@ -355,8 +411,7 @@ def alert(self, matches): fullmessage['rule_file'] = self.rule['rule_file'] fullmessage['matching'] = str(BasicMatchString(self.rule, match)) - fullmessage['alertDate'] = datetime.datetime.now( - ).strftime("%Y-%m-%d %H:%M:%S") + fullmessage['alertDate'] = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") fullmessage['body'] = self.create_alert_body(matches) fullmessage['matches'] = matches @@ -365,11 +420,12 @@ def alert(self, matches): self.stomp_hostport = self.rule.get('stomp_hostport', '61613') self.stomp_login = self.rule.get('stomp_login', 'admin') self.stomp_password = self.rule.get('stomp_password', 'admin') - self.stomp_destination = self.rule.get( - 'stomp_destination', '/queue/ALERT') + self.stomp_destination = self.rule.get('stomp_destination', '/queue/ALERT') self.stomp_ssl = self.rule.get('stomp_ssl', False) - conn = stomp.Connection([(self.stomp_hostname, self.stomp_hostport)], use_ssl=self.stomp_ssl) + conn = stomp.Connection( + [(self.stomp_hostname, self.stomp_hostport)], use_ssl=self.stomp_ssl + ) conn.start() conn.connect(self.stomp_login, self.stomp_password) @@ -390,9 +446,21 @@ def alert(self, matches): for match in matches: if qk in match: elastalert_logger.info( - 'Alert for %s, %s at %s:' % (self.rule['name'], match[qk], lookup_es_key(match, self.rule['timestamp_field']))) + 'Alert for %s, %s at %s:' + % ( + self.rule['name'], + match[qk], + lookup_es_key(match, self.rule['timestamp_field']), + ) + ) else: - elastalert_logger.info('Alert for %s at %s:' % (self.rule['name'], lookup_es_key(match, self.rule['timestamp_field']))) + elastalert_logger.info( + 'Alert for %s at %s:' + % ( + self.rule['name'], + lookup_es_key(match, self.rule['timestamp_field']), + ) + ) elastalert_logger.info(str(BasicMatchString(self.rule, match))) def get_info(self): @@ -401,6 +469,7 @@ def get_info(self): class EmailAlerter(Alerter): """ Sends an email alert """ + required_options = frozenset(['email']) def __init__(self, *args): @@ -434,7 +503,10 @@ def alert(self, matches): # Add JIRA ticket if it exists if self.pipeline is not None and 'jira_ticket' in self.pipeline: - url = '%s/browse/%s' % (self.pipeline['jira_server'], self.pipeline['jira_ticket']) + url = '%s/browse/%s' % ( + self.pipeline['jira_server'], + self.pipeline['jira_ticket'], + ) body += '\nJIRA ticket: %s' % (url) to_addr = self.rule['email'] @@ -467,9 +539,18 @@ def alert(self, matches): try: if self.smtp_ssl: if self.smtp_port: - self.smtp = SMTP_SSL(self.smtp_host, self.smtp_port, keyfile=self.smtp_key_file, certfile=self.smtp_cert_file) + self.smtp = SMTP_SSL( + self.smtp_host, + self.smtp_port, + keyfile=self.smtp_key_file, + certfile=self.smtp_cert_file, + ) else: - self.smtp = SMTP_SSL(self.smtp_host, keyfile=self.smtp_key_file, certfile=self.smtp_cert_file) + self.smtp = SMTP_SSL( + self.smtp_host, + keyfile=self.smtp_key_file, + certfile=self.smtp_cert_file, + ) else: if self.smtp_port: self.smtp = SMTP(self.smtp_host, self.smtp_port) @@ -477,7 +558,9 @@ def alert(self, matches): self.smtp = SMTP(self.smtp_host) self.smtp.ehlo() if self.smtp.has_extn('STARTTLS'): - self.smtp.starttls(keyfile=self.smtp_key_file, certfile=self.smtp_cert_file) + self.smtp.starttls( + keyfile=self.smtp_key_file, certfile=self.smtp_cert_file + ) if 'smtp_auth_file' in self.rule: self.smtp.login(self.user, self.password) except (SMTPException, error) as e: @@ -501,13 +584,15 @@ def create_default_title(self, matches): return subject def get_info(self): - return {'type': 'email', - 'recipients': self.rule['email']} + return {'type': 'email', 'recipients': self.rule['email']} class JiraAlerter(Alerter): """ Creates a Jira ticket for each alert """ - required_options = frozenset(['jira_server', 'jira_account_file', 'jira_project', 'jira_issuetype']) + + required_options = frozenset( + ['jira_server', 'jira_account_file', 'jira_project', 'jira_issuetype'] + ) # Maintain a static set of built-in fields that we explicitly know how to set # For anything else, we will do best-effort and try to set a string value @@ -559,7 +644,9 @@ def __init__(self, rule): # We used to support only a single component. This allows us to maintain backwards compatibility # while also giving the user-facing API a more representative name - self.components = self.rule.get('jira_components', self.rule.get('jira_component')) + self.components = self.rule.get( + 'jira_components', self.rule.get('jira_component') + ) # We used to support only a single label. This allows us to maintain backwards compatibility # while also giving the user-facing API a more representative name @@ -579,12 +666,16 @@ def __init__(self, rule): self.client = None if self.bump_in_statuses and self.bump_not_in_statuses: - msg = 'Both jira_bump_in_statuses (%s) and jira_bump_not_in_statuses (%s) are set.' % \ - (','.join(self.bump_in_statuses), ','.join(self.bump_not_in_statuses)) + msg = ( + 'Both jira_bump_in_statuses (%s) and jira_bump_not_in_statuses (%s) are set.' + % (','.join(self.bump_in_statuses), ','.join(self.bump_not_in_statuses)) + ) intersection = list(set(self.bump_in_statuses) & set(self.bump_in_statuses)) if intersection: - msg = '%s Both have common statuses of (%s). As such, no tickets will ever be found.' % ( - msg, ','.join(intersection)) + msg = ( + '%s Both have common statuses of (%s). As such, no tickets will ever be found.' + % (msg, ','.join(intersection)) + ) msg += ' This should be simplified to use only one or the other.' logging.warning(msg) @@ -597,7 +688,9 @@ def __init__(self, rule): self.get_arbitrary_fields() except JIRAError as e: # JIRAError may contain HTML, pass along only first 1024 chars - raise EAException("Error connecting to JIRA: %s" % (str(e)[:1024])).with_traceback(sys.exc_info()[2]) + raise EAException( + "Error connecting to JIRA: %s" % (str(e)[:1024]) + ).with_traceback(sys.exc_info()[2]) self.set_priority() @@ -606,18 +699,25 @@ def set_priority(self): if self.priority is not None and self.client is not None: self.jira_args['priority'] = {'id': self.priority_ids[self.priority]} except KeyError: - logging.error("Priority %s not found. Valid priorities are %s" % (self.priority, list(self.priority_ids.keys()))) + logging.error( + "Priority %s not found. Valid priorities are %s" + % (self.priority, list(self.priority_ids.keys())) + ) def reset_jira_args(self): - self.jira_args = {'project': {'key': self.project}, - 'issuetype': {'name': self.issue_type}} + self.jira_args = { + 'project': {'key': self.project}, + 'issuetype': {'name': self.issue_type}, + } if self.components: # Support single component or list if type(self.components) != list: self.jira_args['components'] = [{'name': self.components}] else: - self.jira_args['components'] = [{'name': component} for component in self.components] + self.jira_args['components'] = [ + {'name': component} for component in self.components + ] if self.labels: # Support single label or list if type(self.labels) != list: @@ -637,19 +737,34 @@ def set_jira_arg(self, jira_field, value, fields): normalized_jira_field = jira_field[5:].replace('_', ' ').lower() # All jira fields should be found in the 'id' or the 'name' field. Therefore, try both just in case for identifier in ['name', 'id']: - field = next((f for f in fields if normalized_jira_field == f[identifier].replace('_', ' ').lower()), None) + field = next( + ( + f + for f in fields + if normalized_jira_field == f[identifier].replace('_', ' ').lower() + ), + None, + ) if field: break if not field: # Log a warning to ElastAlert saying that we couldn't find that type? # OR raise and fail to load the alert entirely? Probably the latter... - raise Exception("Could not find a definition for the jira field '{0}'".format(normalized_jira_field)) + raise Exception( + "Could not find a definition for the jira field '{0}'".format( + normalized_jira_field + ) + ) arg_name = field['id'] # Check the schema information to decide how to set the value correctly # If the schema information is not available, raise an exception since we don't know how to set it # Note this is only the case for two built-in types, id: issuekey and id: thumbnail if not ('schema' in field or 'type' in field['schema']): - raise Exception("Could not determine schema information for the jira field '{0}'".format(normalized_jira_field)) + raise Exception( + "Could not determine schema information for the jira field '{0}'".format( + normalized_jira_field + ) + ) arg_type = field['schema']['type'] # Handle arrays of simple types like strings or numbers @@ -663,7 +778,11 @@ def set_jira_arg(self, jira_field, value, fields): if array_items in ['string', 'date', 'datetime']: # Special case for multi-select custom types (the JIRA metadata says that these are strings, but # in reality, they are required to be provided as an object. - if 'custom' in field['schema'] and field['schema']['custom'] in self.custom_string_types_with_special_handling: + if ( + 'custom' in field['schema'] + and field['schema']['custom'] + in self.custom_string_types_with_special_handling + ): self.jira_args[arg_name] = [{'value': v} for v in value] else: self.jira_args[arg_name] = value @@ -683,7 +802,11 @@ def set_jira_arg(self, jira_field, value, fields): if arg_type in ['string', 'date', 'datetime']: # Special case for custom types (the JIRA metadata says that these are strings, but # in reality, they are required to be provided as an object. - if 'custom' in field['schema'] and field['schema']['custom'] in self.custom_string_types_with_special_handling: + if ( + 'custom' in field['schema'] + and field['schema']['custom'] + in self.custom_string_types_with_special_handling + ): self.jira_args[arg_name] = {'value': value} else: self.jira_args[arg_name] = value @@ -704,9 +827,17 @@ def get_arbitrary_fields(self): # If we find a field that is not covered by the set that we are aware of, it means it is either: # 1. A built-in supported field in JIRA that we don't have on our radar # 2. A custom field that a JIRA admin has configured - if jira_field.startswith('jira_') and jira_field not in self.known_field_list and str(value)[:1] != '#': + if ( + jira_field.startswith('jira_') + and jira_field not in self.known_field_list + and str(value)[:1] != '#' + ): self.set_jira_arg(jira_field, value, self.jira_fields) - if jira_field.startswith('jira_') and jira_field not in self.known_field_list and str(value)[:1] == '#': + if ( + jira_field.startswith('jira_') + and jira_field not in self.known_field_list + and str(value)[:1] == '#' + ): self.deferred_settings.append(jira_field) def get_priorities(self): @@ -731,25 +862,49 @@ def find_existing_ticket(self, matches): title = self.create_title(matches) if 'jira_ignore_in_title' in self.rule: - title = title.replace(matches[0].get(self.rule['jira_ignore_in_title'], ''), '') + title = title.replace( + matches[0].get(self.rule['jira_ignore_in_title'], ''), '' + ) # This is necessary for search to work. Other special characters and dashes # directly adjacent to words appear to be ok title = title.replace(' - ', ' ') title = title.replace('\\', '\\\\') - date = (datetime.datetime.now() - datetime.timedelta(days=self.max_age)).strftime('%Y-%m-%d') - jql = 'project=%s AND summary~"%s" and created >= "%s"' % (self.project, title, date) + date = ( + datetime.datetime.now() - datetime.timedelta(days=self.max_age) + ).strftime('%Y-%m-%d') + jql = 'project=%s AND summary~"%s" and created >= "%s"' % ( + self.project, + title, + date, + ) if self.bump_in_statuses: - jql = '%s and status in (%s)' % (jql, ','.join(["\"%s\"" % status if ' ' in status else status for status - in self.bump_in_statuses])) + jql = '%s and status in (%s)' % ( + jql, + ','.join( + [ + "\"%s\"" % status if ' ' in status else status + for status in self.bump_in_statuses + ] + ), + ) if self.bump_not_in_statuses: - jql = '%s and status not in (%s)' % (jql, ','.join(["\"%s\"" % status if ' ' in status else status - for status in self.bump_not_in_statuses])) + jql = '%s and status not in (%s)' % ( + jql, + ','.join( + [ + "\"%s\"" % status if ' ' in status else status + for status in self.bump_not_in_statuses + ] + ), + ) try: issues = self.client.search_issues(jql) except JIRAError as e: - logging.exception("Error while searching for JIRA ticket using jql '%s': %s" % (jql, e)) + logging.exception( + "Error while searching for JIRA ticket using jql '%s': %s" % (jql, e) + ) return None if len(issues): @@ -781,30 +936,43 @@ def alert(self, matches): if self.bump_tickets: ticket = self.find_existing_ticket(matches) if ticket: - inactivity_datetime = ts_now() - datetime.timedelta(days=self.bump_after_inactivity) + inactivity_datetime = ts_now() - datetime.timedelta( + days=self.bump_after_inactivity + ) if ts_to_dt(ticket.fields.updated) >= inactivity_datetime: if self.pipeline is not None: self.pipeline['jira_ticket'] = None self.pipeline['jira_server'] = self.server return None - elastalert_logger.info('Commenting on existing ticket %s' % (ticket.key)) + elastalert_logger.info( + 'Commenting on existing ticket %s' % (ticket.key) + ) for match in matches: try: self.comment_on_ticket(ticket, match) except JIRAError as e: - logging.exception("Error while commenting on ticket %s: %s" % (ticket, e)) + logging.exception( + "Error while commenting on ticket %s: %s" % (ticket, e) + ) if self.labels: for label in self.labels: try: ticket.fields.labels.append(label) except JIRAError as e: - logging.exception("Error while appending labels to ticket %s: %s" % (ticket, e)) + logging.exception( + "Error while appending labels to ticket %s: %s" + % (ticket, e) + ) if self.transition: - elastalert_logger.info('Transitioning existing ticket %s' % (ticket.key)) + elastalert_logger.info( + 'Transitioning existing ticket %s' % (ticket.key) + ) try: self.transition_ticket(ticket) except JIRAError as e: - logging.exception("Error while transitioning ticket %s: %s" % (ticket, e)) + logging.exception( + "Error while transitioning ticket %s: %s" % (ticket, e) + ) if self.pipeline is not None: self.pipeline['jira_ticket'] = ticket @@ -828,13 +996,16 @@ def alert(self, matches): # Re-raise the exception, preserve the stack-trace, and give some # context as to which watcher failed to be added raise Exception( - "Exception encountered when trying to add '{0}' as a watcher. Does the user exist?\n{1}" .format( - watcher, - ex - )).with_traceback(sys.exc_info()[2]) + "Exception encountered when trying to add '{0}' as a watcher. Does the user exist?\n{1}".format( + watcher, ex + ) + ).with_traceback(sys.exc_info()[2]) except JIRAError as e: - raise EAException("Error creating JIRA ticket using jira_args (%s): %s" % (self.jira_args, e)) + raise EAException( + "Error creating JIRA ticket using jira_args (%s): %s" + % (self.jira_args, e) + ) elastalert_logger.info("Opened Jira ticket: %s" % (self.issue)) if self.pipeline is not None: @@ -860,15 +1031,25 @@ def get_aggregation_summary_text(self, matches): def create_default_title(self, matches, for_search=False): # If there is a query_key, use that in the title - if 'query_key' in self.rule and lookup_es_key(matches[0], self.rule['query_key']): - title = 'ElastAlert: %s matched %s' % (lookup_es_key(matches[0], self.rule['query_key']), self.rule['name']) + if 'query_key' in self.rule and lookup_es_key( + matches[0], self.rule['query_key'] + ): + title = 'ElastAlert: %s matched %s' % ( + lookup_es_key(matches[0], self.rule['query_key']), + self.rule['name'], + ) else: title = 'ElastAlert: %s' % (self.rule['name']) if for_search: return title - title += ' - %s' % (pretty_ts(matches[0][self.rule['timestamp_field']], self.rule.get('use_local_time'))) + title += ' - %s' % ( + pretty_ts( + matches[0][self.rule['timestamp_field']], + self.rule.get('use_local_time'), + ) + ) # Add count for spikes count = matches[0].get('spike_count') @@ -897,13 +1078,19 @@ def __init__(self, *args): self.rule['command'] = [self.rule['command']] self.new_style_string_format = False - if 'new_style_string_format' in self.rule and self.rule['new_style_string_format']: + if ( + 'new_style_string_format' in self.rule + and self.rule['new_style_string_format'] + ): self.new_style_string_format = True def alert(self, matches): # Format the command and arguments try: - command = [resolve_string(command_arg, matches[0]) for command_arg in self.rule['command']] + command = [ + resolve_string(command_arg, matches[0]) + for command_arg in self.rule['command'] + ] self.last_command = command except KeyError as e: raise EAException("Error formatting command: %s" % (e)) @@ -919,17 +1106,21 @@ def alert(self, matches): alert_text = self.create_alert_body(matches) stdout, stderr = subp.communicate(input=alert_text.encode()) if self.rule.get("fail_on_non_zero_exit", False) and subp.wait(): - raise EAException("Non-zero exit code while running command %s" % (' '.join(command))) + raise EAException( + "Non-zero exit code while running command %s" % (' '.join(command)) + ) except OSError as e: - raise EAException("Error while running command %s: %s" % (' '.join(command), e)) + raise EAException( + "Error while running command %s: %s" % (' '.join(command), e) + ) def get_info(self): - return {'type': 'command', - 'command': ' '.join(self.last_command)} + return {'type': 'command', 'command': ' '.join(self.last_command)} class SnsAlerter(Alerter): """ Send alert using AWS SNS service """ + required_options = frozenset(['sns_topic_arn']) def __init__(self, *args): @@ -952,19 +1143,20 @@ def alert(self, matches): aws_access_key_id=self.aws_access_key_id, aws_secret_access_key=self.aws_secret_access_key, region_name=self.aws_region, - profile_name=self.profile + profile_name=self.profile, ) sns_client = session.client('sns') sns_client.publish( TopicArn=self.sns_topic_arn, Message=body, - Subject=self.create_title(matches) + Subject=self.create_title(matches), ) elastalert_logger.info("Sent sns notification to %s" % (self.sns_topic_arn)) class HipChatAlerter(Alerter): """ Creates a HipChat room notification for each alert """ + required_options = frozenset(['hipchat_auth_token', 'hipchat_room_id']) def __init__(self, rule): @@ -974,11 +1166,16 @@ def __init__(self, rule): self.hipchat_auth_token = self.rule['hipchat_auth_token'] self.hipchat_room_id = self.rule['hipchat_room_id'] self.hipchat_domain = self.rule.get('hipchat_domain', 'api.hipchat.com') - self.hipchat_ignore_ssl_errors = self.rule.get('hipchat_ignore_ssl_errors', False) + self.hipchat_ignore_ssl_errors = self.rule.get( + 'hipchat_ignore_ssl_errors', False + ) self.hipchat_notify = self.rule.get('hipchat_notify', True) self.hipchat_from = self.rule.get('hipchat_from', '') self.url = 'https://%s/v2/room/%s/notification?auth_token=%s' % ( - self.hipchat_domain, self.hipchat_room_id, self.hipchat_auth_token) + self.hipchat_domain, + self.hipchat_room_id, + self.hipchat_auth_token, + ) self.hipchat_proxy = self.rule.get('hipchat_proxy', None) def create_alert_body(self, matches): @@ -996,7 +1193,7 @@ def create_alert_body(self, matches): truncated_message = '..(truncated)' truncate_to = 10000 - len(truncated_message) - if (len(body) > 9999): + if len(body) > 9999: body = body[:truncate_to] + truncated_message return body @@ -1013,7 +1210,7 @@ def alert(self, matches): 'message': body, 'message_format': self.hipchat_message_format, 'notify': self.hipchat_notify, - 'from': self.hipchat_from + 'from': self.hipchat_from, } try: @@ -1033,11 +1230,16 @@ def alert(self, matches): data=json.dumps(ping_msg, cls=DateTimeEncoder), headers=headers, verify=not self.hipchat_ignore_ssl_errors, - proxies=proxies) + proxies=proxies, + ) - response = requests.post(self.url, data=json.dumps(payload, cls=DateTimeEncoder), headers=headers, - verify=not self.hipchat_ignore_ssl_errors, - proxies=proxies) + response = requests.post( + self.url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + verify=not self.hipchat_ignore_ssl_errors, + proxies=proxies, + ) warnings.resetwarnings() response.raise_for_status() except RequestException as e: @@ -1045,12 +1247,12 @@ def alert(self, matches): elastalert_logger.info("Alert sent to HipChat room %s" % self.hipchat_room_id) def get_info(self): - return {'type': 'hipchat', - 'hipchat_room_id': self.hipchat_room_id} + return {'type': 'hipchat', 'hipchat_room_id': self.hipchat_room_id} class MsTeamsAlerter(Alerter): """ Creates a Microsoft Teams Conversation Message for each alert """ + required_options = frozenset(['ms_teams_webhook_url', 'ms_teams_alert_summary']) def __init__(self, rule): @@ -1059,14 +1261,20 @@ def __init__(self, rule): if isinstance(self.ms_teams_webhook_url, str): self.ms_teams_webhook_url = [self.ms_teams_webhook_url] self.ms_teams_proxy = self.rule.get('ms_teams_proxy', None) - self.ms_teams_alert_summary = self.rule.get('ms_teams_alert_summary', 'ElastAlert Message') - self.ms_teams_alert_fixed_width = self.rule.get('ms_teams_alert_fixed_width', False) + self.ms_teams_alert_summary = self.rule.get( + 'ms_teams_alert_summary', 'ElastAlert Message' + ) + self.ms_teams_alert_fixed_width = self.rule.get( + 'ms_teams_alert_fixed_width', False + ) self.ms_teams_theme_color = self.rule.get('ms_teams_theme_color', '') def format_body(self, body): if self.ms_teams_alert_fixed_width: body = body.replace('`', "'") - body = "```{0}```".format('```\n\n```'.join(x for x in body.split('\n'))).replace('\n``````', '') + body = "```{0}```".format( + '```\n\n```'.join(x for x in body.split('\n')) + ).replace('\n``````', '') return body def alert(self, matches): @@ -1082,26 +1290,31 @@ def alert(self, matches): '@context': 'http://schema.org/extensions', 'summary': self.ms_teams_alert_summary, 'title': self.create_title(matches), - 'text': body + 'text': body, } if self.ms_teams_theme_color != '': payload['themeColor'] = self.ms_teams_theme_color for url in self.ms_teams_webhook_url: try: - response = requests.post(url, data=json.dumps(payload, cls=DateTimeEncoder), headers=headers, proxies=proxies) + response = requests.post( + url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + proxies=proxies, + ) response.raise_for_status() except RequestException as e: raise EAException("Error posting to ms teams: %s" % e) elastalert_logger.info("Alert sent to MS Teams") def get_info(self): - return {'type': 'ms_teams', - 'ms_teams_webhook_url': self.ms_teams_webhook_url} + return {'type': 'ms_teams', 'ms_teams_webhook_url': self.ms_teams_webhook_url} class SlackAlerter(Alerter): """ Creates a Slack room message for each alert """ + required_options = frozenset(['slack_webhook_url']) def __init__(self, rule): @@ -1110,7 +1323,9 @@ def __init__(self, rule): if isinstance(self.slack_webhook_url, str): self.slack_webhook_url = [self.slack_webhook_url] self.slack_proxy = self.rule.get('slack_proxy', None) - self.slack_username_override = self.rule.get('slack_username_override', 'elastalert') + self.slack_username_override = self.rule.get( + 'slack_username_override', 'elastalert' + ) self.slack_channel_override = self.rule.get('slack_channel_override', '') if isinstance(self.slack_channel_override, str): self.slack_channel_override = [self.slack_channel_override] @@ -1125,9 +1340,15 @@ def __init__(self, rule): self.slack_ignore_ssl_errors = self.rule.get('slack_ignore_ssl_errors', False) self.slack_timeout = self.rule.get('slack_timeout', 10) self.slack_ca_certs = self.rule.get('slack_ca_certs') - self.slack_attach_kibana_discover_url = self.rule.get('slack_attach_kibana_discover_url', False) - self.slack_kibana_discover_color = self.rule.get('slack_kibana_discover_color', '#ec4b98') - self.slack_kibana_discover_title = self.rule.get('slack_kibana_discover_title', 'Discover in Kibana') + self.slack_attach_kibana_discover_url = self.rule.get( + 'slack_attach_kibana_discover_url', False + ) + self.slack_kibana_discover_color = self.rule.get( + 'slack_kibana_discover_color', '#ec4b98' + ) + self.slack_kibana_discover_title = self.rule.get( + 'slack_kibana_discover_title', 'Discover in Kibana' + ) def format_body(self, body): # https://api.slack.com/docs/formatting @@ -1170,9 +1391,9 @@ def alert(self, matches): 'title': self.create_title(matches), 'text': body, 'mrkdwn_in': ['text', 'pretext'], - 'fields': [] + 'fields': [], } - ] + ], } # if we have defined fields, populate noteable fields for the alert @@ -1193,11 +1414,13 @@ def alert(self, matches): if self.slack_attach_kibana_discover_url: kibana_discover_url = lookup_es_key(matches[0], 'kibana_discover_url') if kibana_discover_url: - payload['attachments'].append({ - 'color': self.slack_kibana_discover_color, - 'title': self.slack_kibana_discover_title, - 'title_link': kibana_discover_url - }) + payload['attachments'].append( + { + 'color': self.slack_kibana_discover_color, + 'title': self.slack_kibana_discover_title, + 'title_link': kibana_discover_url, + } + ) for url in self.slack_webhook_url: for channel_override in self.slack_channel_override: @@ -1210,10 +1433,13 @@ def alert(self, matches): requests.packages.urllib3.disable_warnings() payload['channel'] = channel_override response = requests.post( - url, data=json.dumps(payload, cls=DateTimeEncoder), - headers=headers, verify=verify, + url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + verify=verify, proxies=proxies, - timeout=self.slack_timeout) + timeout=self.slack_timeout, + ) warnings.resetwarnings() response.raise_for_status() except RequestException as e: @@ -1221,12 +1447,15 @@ def alert(self, matches): elastalert_logger.info("Alert '%s' sent to Slack" % self.rule['name']) def get_info(self): - return {'type': 'slack', - 'slack_username_override': self.slack_username_override} + return { + 'type': 'slack', + 'slack_username_override': self.slack_username_override, + } class MattermostAlerter(Alerter): """ Creates a Mattermsot post for each alert """ + required_options = frozenset(['mattermost_webhook_url']) def __init__(self, rule): @@ -1237,12 +1466,20 @@ def __init__(self, rule): if isinstance(self.mattermost_webhook_url, str): self.mattermost_webhook_url = [self.mattermost_webhook_url] self.mattermost_proxy = self.rule.get('mattermost_proxy', None) - self.mattermost_ignore_ssl_errors = self.rule.get('mattermost_ignore_ssl_errors', False) + self.mattermost_ignore_ssl_errors = self.rule.get( + 'mattermost_ignore_ssl_errors', False + ) # Override webhook config - self.mattermost_username_override = self.rule.get('mattermost_username_override', 'elastalert') - self.mattermost_channel_override = self.rule.get('mattermost_channel_override', '') - self.mattermost_icon_url_override = self.rule.get('mattermost_icon_url_override', '') + self.mattermost_username_override = self.rule.get( + 'mattermost_username_override', 'elastalert' + ) + self.mattermost_channel_override = self.rule.get( + 'mattermost_channel_override', '' + ) + self.mattermost_icon_url_override = self.rule.get( + 'mattermost_icon_url_override', '' + ) # Message properties self.mattermost_msg_pretext = self.rule.get('mattermost_msg_pretext', '') @@ -1250,7 +1487,9 @@ def __init__(self, rule): self.mattermost_msg_fields = self.rule.get('mattermost_msg_fields', '') def get_aggregation_summary_text__maximum_width(self): - width = super(MattermostAlerter, self).get_aggregation_summary_text__maximum_width() + width = super( + MattermostAlerter, self + ).get_aggregation_summary_text__maximum_width() # Reduced maximum width for prettier Mattermost display. return min(width, 75) @@ -1266,12 +1505,14 @@ def populate_fields(self, matches): for field in self.mattermost_msg_fields: field = copy.copy(field) if 'args' in field: - args_values = [lookup_es_key(matches[0], arg) or missing for arg in field['args']] + args_values = [ + lookup_es_key(matches[0], arg) or missing for arg in field['args'] + ] if 'value' in field: field['value'] = field['value'].format(*args_values) else: field['value'] = "\n".join(str(arg) for arg in args_values) - del(field['args']) + del field['args'] alert_fields.append(field) return alert_fields @@ -1290,7 +1531,7 @@ def alert(self, matches): 'color': self.mattermost_msg_color, 'title': title, 'pretext': self.mattermost_msg_pretext, - 'fields': [] + 'fields': [], } ] } @@ -1318,9 +1559,12 @@ def alert(self, matches): requests.urllib3.disable_warnings() response = requests.post( - url, data=json.dumps(payload, cls=DateTimeEncoder), - headers=headers, verify=not self.mattermost_ignore_ssl_errors, - proxies=proxies) + url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + verify=not self.mattermost_ignore_ssl_errors, + proxies=proxies, + ) warnings.resetwarnings() response.raise_for_status() @@ -1329,13 +1573,16 @@ def alert(self, matches): elastalert_logger.info("Alert sent to Mattermost") def get_info(self): - return {'type': 'mattermost', - 'mattermost_username_override': self.mattermost_username_override, - 'mattermost_webhook_url': self.mattermost_webhook_url} + return { + 'type': 'mattermost', + 'mattermost_username_override': self.mattermost_username_override, + 'mattermost_webhook_url': self.mattermost_webhook_url, + } class PagerDutyAlerter(Alerter): """ Create an incident on PagerDuty for each alert """ + required_options = frozenset(['pagerduty_service_key', 'pagerduty_client_name']) def __init__(self, rule): @@ -1343,25 +1590,47 @@ def __init__(self, rule): self.pagerduty_service_key = self.rule['pagerduty_service_key'] self.pagerduty_client_name = self.rule['pagerduty_client_name'] self.pagerduty_incident_key = self.rule.get('pagerduty_incident_key', '') - self.pagerduty_incident_key_args = self.rule.get('pagerduty_incident_key_args', None) + self.pagerduty_incident_key_args = self.rule.get( + 'pagerduty_incident_key_args', None + ) self.pagerduty_event_type = self.rule.get('pagerduty_event_type', 'trigger') self.pagerduty_proxy = self.rule.get('pagerduty_proxy', None) self.pagerduty_api_version = self.rule.get('pagerduty_api_version', 'v1') - self.pagerduty_v2_payload_class = self.rule.get('pagerduty_v2_payload_class', '') - self.pagerduty_v2_payload_class_args = self.rule.get('pagerduty_v2_payload_class_args', None) - self.pagerduty_v2_payload_component = self.rule.get('pagerduty_v2_payload_component', '') - self.pagerduty_v2_payload_component_args = self.rule.get('pagerduty_v2_payload_component_args', None) - self.pagerduty_v2_payload_group = self.rule.get('pagerduty_v2_payload_group', '') - self.pagerduty_v2_payload_group_args = self.rule.get('pagerduty_v2_payload_group_args', None) - self.pagerduty_v2_payload_severity = self.rule.get('pagerduty_v2_payload_severity', 'critical') - self.pagerduty_v2_payload_source = self.rule.get('pagerduty_v2_payload_source', 'ElastAlert') - self.pagerduty_v2_payload_source_args = self.rule.get('pagerduty_v2_payload_source_args', None) + self.pagerduty_v2_payload_class = self.rule.get( + 'pagerduty_v2_payload_class', '' + ) + self.pagerduty_v2_payload_class_args = self.rule.get( + 'pagerduty_v2_payload_class_args', None + ) + self.pagerduty_v2_payload_component = self.rule.get( + 'pagerduty_v2_payload_component', '' + ) + self.pagerduty_v2_payload_component_args = self.rule.get( + 'pagerduty_v2_payload_component_args', None + ) + self.pagerduty_v2_payload_group = self.rule.get( + 'pagerduty_v2_payload_group', '' + ) + self.pagerduty_v2_payload_group_args = self.rule.get( + 'pagerduty_v2_payload_group_args', None + ) + self.pagerduty_v2_payload_severity = self.rule.get( + 'pagerduty_v2_payload_severity', 'critical' + ) + self.pagerduty_v2_payload_source = self.rule.get( + 'pagerduty_v2_payload_source', 'ElastAlert' + ) + self.pagerduty_v2_payload_source_args = self.rule.get( + 'pagerduty_v2_payload_source_args', None + ) if self.pagerduty_api_version == 'v2': self.url = 'https://events.pagerduty.com/v2/enqueue' else: - self.url = 'https://events.pagerduty.com/generic/2010-04-15/create_event.json' + self.url = ( + 'https://events.pagerduty.com/generic/2010-04-15/create_event.json' + ) def alert(self, matches): body = self.create_alert_body(matches) @@ -1375,26 +1644,34 @@ def alert(self, matches): 'dedup_key': self.get_incident_key(matches), 'client': self.pagerduty_client_name, 'payload': { - 'class': self.resolve_formatted_key(self.pagerduty_v2_payload_class, - self.pagerduty_v2_payload_class_args, - matches), - 'component': self.resolve_formatted_key(self.pagerduty_v2_payload_component, - self.pagerduty_v2_payload_component_args, - matches), - 'group': self.resolve_formatted_key(self.pagerduty_v2_payload_group, - self.pagerduty_v2_payload_group_args, - matches), + 'class': self.resolve_formatted_key( + self.pagerduty_v2_payload_class, + self.pagerduty_v2_payload_class_args, + matches, + ), + 'component': self.resolve_formatted_key( + self.pagerduty_v2_payload_component, + self.pagerduty_v2_payload_component_args, + matches, + ), + 'group': self.resolve_formatted_key( + self.pagerduty_v2_payload_group, + self.pagerduty_v2_payload_group_args, + matches, + ), 'severity': self.pagerduty_v2_payload_severity, - 'source': self.resolve_formatted_key(self.pagerduty_v2_payload_source, - self.pagerduty_v2_payload_source_args, - matches), + 'source': self.resolve_formatted_key( + self.pagerduty_v2_payload_source, + self.pagerduty_v2_payload_source_args, + matches, + ), 'summary': self.create_title(matches), - 'custom_details': { - 'information': body, - }, + 'custom_details': {'information': body,}, }, } - match_timestamp = lookup_es_key(matches[0], self.rule.get('timestamp_field', '@timestamp')) + match_timestamp = lookup_es_key( + matches[0], self.rule.get('timestamp_field', '@timestamp') + ) if match_timestamp: payload['payload']['timestamp'] = match_timestamp else: @@ -1404,9 +1681,7 @@ def alert(self, matches): 'event_type': self.pagerduty_event_type, 'incident_key': self.get_incident_key(matches), 'client': self.pagerduty_client_name, - 'details': { - "information": body, - }, + 'details': {"information": body,}, } # set https proxy, if it was provided @@ -1416,7 +1691,7 @@ def alert(self, matches): self.url, data=json.dumps(payload, cls=DateTimeEncoder, ensure_ascii=False), headers=headers, - proxies=proxies + proxies=proxies, ) response.raise_for_status() except RequestException as e: @@ -1448,7 +1723,10 @@ def resolve_formatted_key(self, key, args, matches): def get_incident_key(self, matches): if self.pagerduty_incident_key_args: - incident_key_values = [lookup_es_key(matches[0], arg) for arg in self.pagerduty_incident_key_args] + incident_key_values = [ + lookup_es_key(matches[0], arg) + for arg in self.pagerduty_incident_key_args + ] # Populate values with rule level properties too for i in range(len(incident_key_values)): @@ -1458,18 +1736,23 @@ def get_incident_key(self, matches): incident_key_values[i] = key_value missing = self.rule.get('alert_missing_value', '') - incident_key_values = [missing if val is None else val for val in incident_key_values] + incident_key_values = [ + missing if val is None else val for val in incident_key_values + ] return self.pagerduty_incident_key.format(*incident_key_values) else: return self.pagerduty_incident_key def get_info(self): - return {'type': 'pagerduty', - 'pagerduty_client_name': self.pagerduty_client_name} + return { + 'type': 'pagerduty', + 'pagerduty_client_name': self.pagerduty_client_name, + } class PagerTreeAlerter(Alerter): """ Creates a PagerTree Incident for each alert """ + required_options = frozenset(['pagertree_integration_url']) def __init__(self, rule): @@ -1486,23 +1769,34 @@ def alert(self, matches): "event_type": "create", "Id": str(uuid.uuid4()), "Title": self.create_title(matches), - "Description": self.create_alert_body(matches) + "Description": self.create_alert_body(matches), } try: - response = requests.post(self.url, data=json.dumps(payload, cls=DateTimeEncoder), headers=headers, proxies=proxies) + response = requests.post( + self.url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + proxies=proxies, + ) response.raise_for_status() except RequestException as e: raise EAException("Error posting to PagerTree: %s" % e) elastalert_logger.info("Trigger sent to PagerTree") def get_info(self): - return {'type': 'pagertree', - 'pagertree_integration_url': self.url} + return {'type': 'pagertree', 'pagertree_integration_url': self.url} class ExotelAlerter(Alerter): - required_options = frozenset(['exotel_account_sid', 'exotel_auth_token', 'exotel_to_number', 'exotel_from_number']) + required_options = frozenset( + [ + 'exotel_account_sid', + 'exotel_auth_token', + 'exotel_to_number', + 'exotel_from_number', + ] + ) def __init__(self, rule): super(ExotelAlerter, self).__init__(rule) @@ -1517,11 +1811,19 @@ def alert(self, matches): try: message_body = self.rule['name'] + self.sms_body - response = client.sms(self.rule['exotel_from_number'], self.rule['exotel_to_number'], message_body) + response = client.sms( + self.rule['exotel_from_number'], + self.rule['exotel_to_number'], + message_body, + ) if response != 200: - raise EAException("Error posting to Exotel, response code is %s" % response) + raise EAException( + "Error posting to Exotel, response code is %s" % response + ) except RequestException: - raise EAException("Error posting to Exotel").with_traceback(sys.exc_info()[2]) + raise EAException("Error posting to Exotel").with_traceback( + sys.exc_info()[2] + ) elastalert_logger.info("Trigger sent to Exotel") def get_info(self): @@ -1529,7 +1831,14 @@ def get_info(self): class TwilioAlerter(Alerter): - required_options = frozenset(['twilio_account_sid', 'twilio_auth_token', 'twilio_to_number', 'twilio_from_number']) + required_options = frozenset( + [ + 'twilio_account_sid', + 'twilio_auth_token', + 'twilio_to_number', + 'twilio_from_number', + ] + ) def __init__(self, rule): super(TwilioAlerter, self).__init__(rule) @@ -1542,9 +1851,11 @@ def alert(self, matches): client = TwilioClient(self.twilio_account_sid, self.twilio_auth_token) try: - client.messages.create(body=self.rule['name'], - to=self.twilio_to_number, - from_=self.twilio_from_number) + client.messages.create( + body=self.rule['name'], + to=self.twilio_to_number, + from_=self.twilio_from_number, + ) except TwilioRestException as e: raise EAException("Error posting to twilio: %s" % e) @@ -1552,13 +1863,15 @@ def alert(self, matches): elastalert_logger.info("Trigger sent to Twilio") def get_info(self): - return {'type': 'twilio', - 'twilio_client_name': self.twilio_from_number} + return {'type': 'twilio', 'twilio_client_name': self.twilio_from_number} class VictorOpsAlerter(Alerter): """ Creates a VictorOps Incident for each alert """ - required_options = frozenset(['victorops_api_key', 'victorops_routing_key', 'victorops_message_type']) + + required_options = frozenset( + ['victorops_api_key', 'victorops_routing_key', 'victorops_message_type'] + ) def __init__(self, rule): super(VictorOpsAlerter, self).__init__(rule) @@ -1566,9 +1879,13 @@ def __init__(self, rule): self.victorops_routing_key = self.rule['victorops_routing_key'] self.victorops_message_type = self.rule['victorops_message_type'] self.victorops_entity_id = self.rule.get('victorops_entity_id', None) - self.victorops_entity_display_name = self.rule.get('victorops_entity_display_name', 'no entity display name') - self.url = 'https://alert.victorops.com/integrations/generic/20131114/alert/%s/%s' % ( - self.victorops_api_key, self.victorops_routing_key) + self.victorops_entity_display_name = self.rule.get( + 'victorops_entity_display_name', 'no entity display name' + ) + self.url = ( + 'https://alert.victorops.com/integrations/generic/20131114/alert/%s/%s' + % (self.victorops_api_key, self.victorops_routing_key) + ) self.victorops_proxy = self.rule.get('victorops_proxy', None) def alert(self, matches): @@ -1582,25 +1899,33 @@ def alert(self, matches): "message_type": self.victorops_message_type, "entity_display_name": self.victorops_entity_display_name, "monitoring_tool": "ElastAlert", - "state_message": body + "state_message": body, } if self.victorops_entity_id: payload["entity_id"] = self.victorops_entity_id try: - response = requests.post(self.url, data=json.dumps(payload, cls=DateTimeEncoder), headers=headers, proxies=proxies) + response = requests.post( + self.url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + proxies=proxies, + ) response.raise_for_status() except RequestException as e: raise EAException("Error posting to VictorOps: %s" % e) elastalert_logger.info("Trigger sent to VictorOps") def get_info(self): - return {'type': 'victorops', - 'victorops_routing_key': self.victorops_routing_key} + return { + 'type': 'victorops', + 'victorops_routing_key': self.victorops_routing_key, + } class TelegramAlerter(Alerter): """ Send a Telegram message via bot api for each alert """ + required_options = frozenset(['telegram_bot_token', 'telegram_room_id']) def __init__(self, rule): @@ -1608,7 +1933,11 @@ def __init__(self, rule): self.telegram_bot_token = self.rule['telegram_bot_token'] self.telegram_room_id = self.rule['telegram_room_id'] self.telegram_api_url = self.rule.get('telegram_api_url', 'api.telegram.org') - self.url = 'https://%s/bot%s/%s' % (self.telegram_api_url, self.telegram_bot_token, "sendMessage") + self.url = 'https://%s/bot%s/%s' % ( + self.telegram_api_url, + self.telegram_bot_token, + "sendMessage", + ) self.telegram_proxy = self.rule.get('telegram_proxy', None) self.telegram_proxy_login = self.rule.get('telegram_proxy_login', None) self.telegram_proxy_password = self.rule.get('telegram_proxy_pass', None) @@ -1621,37 +1950,52 @@ def alert(self, matches): if len(matches) > 1: body += '\n----------------------------------------\n' if len(body) > 4095: - body = body[0:4000] + "\n⚠ *message was cropped according to telegram limits!* ⚠" + body = ( + body[0:4000] + + "\n⚠ *message was cropped according to telegram limits!* ⚠" + ) body += ' ```' headers = {'content-type': 'application/json'} # set https proxy, if it was provided proxies = {'https': self.telegram_proxy} if self.telegram_proxy else None - auth = HTTPProxyAuth(self.telegram_proxy_login, self.telegram_proxy_password) if self.telegram_proxy_login else None + auth = ( + HTTPProxyAuth(self.telegram_proxy_login, self.telegram_proxy_password) + if self.telegram_proxy_login + else None + ) payload = { 'chat_id': self.telegram_room_id, 'text': body, 'parse_mode': 'markdown', - 'disable_web_page_preview': True + 'disable_web_page_preview': True, } try: - response = requests.post(self.url, data=json.dumps(payload, cls=DateTimeEncoder), headers=headers, proxies=proxies, auth=auth) + response = requests.post( + self.url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + proxies=proxies, + auth=auth, + ) warnings.resetwarnings() response.raise_for_status() except RequestException as e: - raise EAException("Error posting to Telegram: %s. Details: %s" % (e, "" if e.response is None else e.response.text)) + raise EAException( + "Error posting to Telegram: %s. Details: %s" + % (e, "" if e.response is None else e.response.text) + ) - elastalert_logger.info( - "Alert sent to Telegram room %s" % self.telegram_room_id) + elastalert_logger.info("Alert sent to Telegram room %s" % self.telegram_room_id) def get_info(self): - return {'type': 'telegram', - 'telegram_room_id': self.telegram_room_id} + return {'type': 'telegram', 'telegram_room_id': self.telegram_room_id} class GoogleChatAlerter(Alerter): """ Send a notification via Google Chat webhooks """ + required_options = frozenset(['googlechat_webhook_url']) def __init__(self, rule): @@ -1661,9 +2005,13 @@ def __init__(self, rule): self.googlechat_webhook_url = [self.googlechat_webhook_url] self.googlechat_format = self.rule.get('googlechat_format', 'basic') self.googlechat_header_title = self.rule.get('googlechat_header_title', None) - self.googlechat_header_subtitle = self.rule.get('googlechat_header_subtitle', None) + self.googlechat_header_subtitle = self.rule.get( + 'googlechat_header_subtitle', None + ) self.googlechat_header_image = self.rule.get('googlechat_header_image', None) - self.googlechat_footer_kibanalink = self.rule.get('googlechat_footer_kibanalink', None) + self.googlechat_footer_kibanalink = self.rule.get( + 'googlechat_footer_kibanalink', None + ) def create_header(self): header = None @@ -1671,36 +2019,51 @@ def create_header(self): header = { "title": self.googlechat_header_title, "subtitle": self.googlechat_header_subtitle, - "imageUrl": self.googlechat_header_image + "imageUrl": self.googlechat_header_image, } return header def create_footer(self): footer = None if self.googlechat_footer_kibanalink: - footer = {"widgets": [{ - "buttons": [{ - "textButton": { - "text": "VISIT KIBANA", - "onClick": { - "openLink": { - "url": self.googlechat_footer_kibanalink + footer = { + "widgets": [ + { + "buttons": [ + { + "textButton": { + "text": "VISIT KIBANA", + "onClick": { + "openLink": { + "url": self.googlechat_footer_kibanalink + } + }, + } } - } + ] } - }] - }] + ] } return footer def create_card(self, matches): - card = {"cards": [{ - "sections": [{ - "widgets": [ - {"textParagraph": {"text": self.create_alert_body(matches)}} - ]} - ]} - ]} + card = { + "cards": [ + { + "sections": [ + { + "widgets": [ + { + "textParagraph": { + "text": self.create_alert_body(matches) + } + } + ] + } + ] + } + ] + } # Add the optional header header = self.create_header() @@ -1735,12 +2098,15 @@ def alert(self, matches): elastalert_logger.info("Alert sent to Google Chat!") def get_info(self): - return {'type': 'googlechat', - 'googlechat_webhook_url': self.googlechat_webhook_url} + return { + 'type': 'googlechat', + 'googlechat_webhook_url': self.googlechat_webhook_url, + } class GitterAlerter(Alerter): """ Creates a Gitter activity message for each alert """ + required_options = frozenset(['gitter_webhook_url']) def __init__(self, rule): @@ -1756,37 +2122,41 @@ def alert(self, matches): headers = {'content-type': 'application/json'} # set https proxy, if it was provided proxies = {'https': self.gitter_proxy} if self.gitter_proxy else None - payload = { - 'message': body, - 'level': self.gitter_msg_level - } + payload = {'message': body, 'level': self.gitter_msg_level} try: - response = requests.post(self.gitter_webhook_url, json.dumps(payload, cls=DateTimeEncoder), headers=headers, proxies=proxies) + response = requests.post( + self.gitter_webhook_url, + json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + proxies=proxies, + ) response.raise_for_status() except RequestException as e: raise EAException("Error posting to Gitter: %s" % e) elastalert_logger.info("Alert sent to Gitter") def get_info(self): - return {'type': 'gitter', - 'gitter_webhook_url': self.gitter_webhook_url} + return {'type': 'gitter', 'gitter_webhook_url': self.gitter_webhook_url} class ServiceNowAlerter(Alerter): """ Creates a ServiceNow alert """ - required_options = set([ - 'username', - 'password', - 'servicenow_rest_url', - 'short_description', - 'comments', - 'assignment_group', - 'category', - 'subcategory', - 'cmdb_ci', - 'caller_id' - ]) + + required_options = set( + [ + 'username', + 'password', + 'servicenow_rest_url', + 'short_description', + 'comments', + 'assignment_group', + 'category', + 'subcategory', + 'cmdb_ci', + 'caller_id', + ] + ) def __init__(self, rule): super(ServiceNowAlerter, self).__init__(rule) @@ -1801,7 +2171,7 @@ def alert(self, matches): # Set proper headers headers = { "Content-Type": "application/json", - "Accept": "application/json;charset=utf-8" + "Accept": "application/json;charset=utf-8", } proxies = {'https': self.servicenow_proxy} if self.servicenow_proxy else None payload = { @@ -1812,7 +2182,7 @@ def alert(self, matches): "category": self.rule['category'], "subcategory": self.rule['subcategory'], "cmdb_ci": self.rule['cmdb_ci'], - "caller_id": self.rule["caller_id"] + "caller_id": self.rule["caller_id"], } try: response = requests.post( @@ -1820,7 +2190,7 @@ def alert(self, matches): auth=(self.rule['username'], self.rule['password']), headers=headers, data=json.dumps(payload, cls=DateTimeEncoder), - proxies=proxies + proxies=proxies, ) response.raise_for_status() except RequestException as e: @@ -1828,12 +2198,15 @@ def alert(self, matches): elastalert_logger.info("Alert sent to ServiceNow") def get_info(self): - return {'type': 'ServiceNow', - 'self.servicenow_rest_url': self.servicenow_rest_url} + return { + 'type': 'ServiceNow', + 'self.servicenow_rest_url': self.servicenow_rest_url, + } class AlertaAlerter(Alerter): """ Creates an Alerta event for each alert """ + required_options = frozenset(['alerta_api_url']) def __init__(self, rule): @@ -1866,7 +2239,11 @@ def __init__(self, rule): def alert(self, matches): # Override the resource if requested - if self.use_qk_as_resource and 'query_key' in self.rule and lookup_es_key(matches[0], self.rule['query_key']): + if ( + self.use_qk_as_resource + and 'query_key' in self.rule + and lookup_es_key(matches[0], self.rule['query_key']) + ): self.resource = lookup_es_key(matches[0], self.rule['query_key']) headers = {'content-type': 'application/json'} @@ -1875,7 +2252,9 @@ def alert(self, matches): alerta_payload = self.get_json_payload(matches[0]) try: - response = requests.post(self.url, data=alerta_payload, headers=headers, verify=self.verify_ssl) + response = requests.post( + self.url, data=alerta_payload, headers=headers, verify=self.verify_ssl + ) response.raise_for_status() except RequestException as e: raise EAException("Error posting to Alerta: %s" % e) @@ -1891,8 +2270,7 @@ def create_default_title(self, matches): return title def get_info(self): - return {'type': 'alerta', - 'alerta_url': self.url} + return {'type': 'alerta', 'alerta_url': self.url} def get_json_payload(self, match): """ @@ -1904,10 +2282,20 @@ def get_json_payload(self, match): """ # Using default text and event title if not defined in rule - alerta_text = self.rule['type'].get_match_str([match]) if self.text == '' else resolve_string(self.text, match, self.missing_text) - alerta_event = self.create_default_title([match]) if self.event == '' else resolve_string(self.event, match, self.missing_text) + alerta_text = ( + self.rule['type'].get_match_str([match]) + if self.text == '' + else resolve_string(self.text, match, self.missing_text) + ) + alerta_event = ( + self.create_default_title([match]) + if self.event == '' + else resolve_string(self.event, match, self.missing_text) + ) - match_timestamp = lookup_es_key(match, self.rule.get('timestamp_field', '@timestamp')) + match_timestamp = lookup_es_key( + match, self.rule.get('timestamp_field', '@timestamp') + ) if match_timestamp is None: match_timestamp = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S.%fZ") if self.use_match_timestamp: @@ -1927,11 +2315,28 @@ def get_json_payload(self, match): 'event': alerta_event, 'text': alerta_text, 'value': resolve_string(self.value, match, self.missing_text), - 'service': [resolve_string(a_service, match, self.missing_text) for a_service in self.service], - 'tags': [resolve_string(a_tag, match, self.missing_text) for a_tag in self.tags], - 'correlate': [resolve_string(an_event, match, self.missing_text) for an_event in self.correlate], - 'attributes': dict(list(zip(self.attributes_keys, - [resolve_string(a_value, match, self.missing_text) for a_value in self.attributes_values]))), + 'service': [ + resolve_string(a_service, match, self.missing_text) + for a_service in self.service + ], + 'tags': [ + resolve_string(a_tag, match, self.missing_text) for a_tag in self.tags + ], + 'correlate': [ + resolve_string(an_event, match, self.missing_text) + for an_event in self.correlate + ], + 'attributes': dict( + list( + zip( + self.attributes_keys, + [ + resolve_string(a_value, match, self.missing_text) + for a_value in self.attributes_values + ], + ) + ) + ), 'rawData': self.create_alert_body([match]), } @@ -1954,7 +2359,9 @@ def __init__(self, rule): self.post_proxy = self.rule.get('http_post_proxy') self.post_payload = self.rule.get('http_post_payload', {}) self.post_static_payload = self.rule.get('http_post_static_payload', {}) - self.post_all_values = self.rule.get('http_post_all_values', not self.post_payload) + self.post_all_values = self.rule.get( + 'http_post_all_values', not self.post_payload + ) self.post_http_headers = self.rule.get('http_post_headers', {}) self.timeout = self.rule.get('http_post_timeout', 10) @@ -1967,22 +2374,83 @@ def alert(self, matches): payload[post_key] = lookup_es_key(match, es_key) headers = { "Content-Type": "application/json", - "Accept": "application/json;charset=utf-8" + "Accept": "application/json;charset=utf-8", } headers.update(self.post_http_headers) proxies = {'https': self.post_proxy} if self.post_proxy else None for url in self.post_url: try: - response = requests.post(url, data=json.dumps(payload, cls=DateTimeEncoder), - headers=headers, proxies=proxies, timeout=self.timeout) + response = requests.post( + url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + proxies=proxies, + timeout=self.timeout, + ) response.raise_for_status() except RequestException as e: raise EAException("Error posting HTTP Post alert: %s" % e) elastalert_logger.info("HTTP Post alert sent.") def get_info(self): - return {'type': 'http_post', - 'http_post_webhook_url': self.post_url} + return {'type': 'http_post', 'http_post_webhook_url': self.post_url} + + +class HTTPPostJWTAlerter(Alerter): + """ Requested elasticsearch indices are sent by HTTP POST. Encoded with JSON and ecrypted with JWT. """ + + def __init__(self, rule): + super(HTTPPostJWTAlerter, self).__init__(rule) + post_url = self.rule.get('http_post_url') + self.post_jwt_key = self.rule.get('http_post_jwt_key') + self.post_jwt_algorithm = self.rule.get('http_post_jwt_algorithm') + if isinstance(post_url, str): + post_url = [post_url] + self.post_url = post_url + self.post_proxy = self.rule.get('http_post_proxy') + self.post_payload = self.rule.get('http_post_payload', {}) + self.post_static_payload = self.rule.get('http_post_static_payload', {}) + self.post_all_values = self.rule.get( + 'http_post_all_values', not self.post_payload + ) + self.post_http_headers = self.rule.get('http_post_headers', {}) + self.timeout = self.rule.get('http_post_timeout', 10) + + def alert(self, matches): + """ Each match will trigger a POST to the specified endpoint(s). """ + for match in matches: + payload = match if self.post_all_values else {} + payload.update(self.post_static_payload) + for post_key, es_key in list(self.post_payload.items()): + payload[post_key] = lookup_es_key(match, es_key) + headers = { + "Content-Type": "application/jwt", + "Accept": "application/jwt;charset=utf-8", + } + headers.update(self.post_http_headers) + proxies = {'https': self.post_proxy} if self.post_proxy else None + for url in self.post_url: + try: + """Encode payload using JWT""" + JWT_encode_payload = jwt.encode( + json.loads(json.dumps(payload, cls=DateTimeEncoder)), + self.post_jwt_key, + algorithm=self.post_jwt_algorithm, + ) + response = requests.post( + url, + data=JWT_encode_payload, + headers=headers, + proxies=proxies, + timeout=self.timeout, + ) + response.raise_for_status() + except RequestException as e: + raise EAException("Error posting HTTP JWT Post alert: %s" % e) + elastalert_logger.info("HTTP JWT Post alert sent.") + + def get_info(self): + return {'type': 'http_post', 'http_post_webhook_url': self.post_url} class StrideHTMLParser(HTMLParser): @@ -2021,7 +2489,8 @@ class StrideAlerter(Alerter): """ Creates a Stride conversation message for each alert """ required_options = frozenset( - ['stride_access_token', 'stride_cloud_id', 'stride_conversation_id']) + ['stride_access_token', 'stride_cloud_id', 'stride_conversation_id'] + ) def __init__(self, rule): super(StrideAlerter, self).__init__(rule) @@ -2032,7 +2501,9 @@ def __init__(self, rule): self.stride_ignore_ssl_errors = self.rule.get('stride_ignore_ssl_errors', False) self.stride_proxy = self.rule.get('stride_proxy', None) self.url = 'https://api.atlassian.com/site/%s/conversation/%s/message' % ( - self.stride_cloud_id, self.stride_conversation_id) + self.stride_cloud_id, + self.stride_conversation_id, + ) def alert(self, matches): body = self.create_alert_body(matches).strip() @@ -2044,7 +2515,7 @@ def alert(self, matches): # Post to Stride headers = { 'content-type': 'application/json', - 'Authorization': 'Bearer {}'.format(self.stride_access_token) + 'Authorization': 'Bearer {}'.format(self.stride_access_token), } # set https proxy, if it was provided @@ -2052,34 +2523,49 @@ def alert(self, matches): # build stride json payload # https://developer.atlassian.com/cloud/stride/apis/document/structure/ - payload = {'body': {'version': 1, 'type': "doc", 'content': [ - {'type': "panel", 'attrs': {'panelType': "warning"}, 'content': [ - {'type': 'paragraph', 'content': parser.content} - ]} - ]}} + payload = { + 'body': { + 'version': 1, + 'type': "doc", + 'content': [ + { + 'type': "panel", + 'attrs': {'panelType': "warning"}, + 'content': [{'type': 'paragraph', 'content': parser.content}], + } + ], + } + } try: if self.stride_ignore_ssl_errors: requests.packages.urllib3.disable_warnings() response = requests.post( - self.url, data=json.dumps(payload, cls=DateTimeEncoder), - headers=headers, verify=not self.stride_ignore_ssl_errors, - proxies=proxies) + self.url, + data=json.dumps(payload, cls=DateTimeEncoder), + headers=headers, + verify=not self.stride_ignore_ssl_errors, + proxies=proxies, + ) warnings.resetwarnings() response.raise_for_status() except RequestException as e: raise EAException("Error posting to Stride: %s" % e) elastalert_logger.info( - "Alert sent to Stride conversation %s" % self.stride_conversation_id) + "Alert sent to Stride conversation %s" % self.stride_conversation_id + ) def get_info(self): - return {'type': 'stride', - 'stride_cloud_id': self.stride_cloud_id, - 'stride_converstation_id': self.stride_converstation_id} + return { + 'type': 'stride', + 'stride_cloud_id': self.stride_cloud_id, + 'stride_converstation_id': self.stride_converstation_id, + } class LineNotifyAlerter(Alerter): """ Created a Line Notify for each alert """ + required_option = frozenset(["linenotify_access_token"]) def __init__(self, rule): @@ -2091,20 +2577,23 @@ def alert(self, matches): # post to Line Notify headers = { "Content-Type": "application/x-www-form-urlencoded", - "Authorization": "Bearer {}".format(self.linenotify_access_token) - } - payload = { - "message": body + "Authorization": "Bearer {}".format(self.linenotify_access_token), } + payload = {"message": body} try: - response = requests.post("https://notify-api.line.me/api/notify", data=payload, headers=headers) + response = requests.post( + "https://notify-api.line.me/api/notify", data=payload, headers=headers + ) response.raise_for_status() except RequestException as e: raise EAException("Error posting to Line Notify: %s" % e) elastalert_logger.info("Alert sent to Line Notify") def get_info(self): - return {"type": "linenotify", "linenotify_access_token": self.linenotify_access_token} + return { + "type": "linenotify", + "linenotify_access_token": self.linenotify_access_token, + } class HiveAlerter(Alerter): @@ -2125,16 +2614,33 @@ def alert(self, matches): for mapping in self.rule.get('hive_observable_data_mapping', []): for observable_type, match_data_key in mapping.items(): try: - match_data_keys = re.findall(r'\{match\[([^\]]*)\]', match_data_key) - rule_data_keys = re.findall(r'\{rule\[([^\]]*)\]', match_data_key) + match_data_keys = re.findall( + r'\{match\[([^\]]*)\]', match_data_key + ) + rule_data_keys = re.findall( + r'\{rule\[([^\]]*)\]', match_data_key + ) data_keys = match_data_keys + rule_data_keys - context_keys = list(context['match'].keys()) + list(context['rule'].keys()) - if all([True if k in context_keys else False for k in data_keys]): - artifact = {'tlp': 2, 'tags': [], 'message': None, 'dataType': observable_type, - 'data': match_data_key.format(**context)} + context_keys = list(context['match'].keys()) + list( + context['rule'].keys() + ) + if all( + [True if k in context_keys else False for k in data_keys] + ): + artifact = { + 'tlp': 2, + 'tags': [], + 'message': None, + 'dataType': observable_type, + 'data': match_data_key.format(**context), + } artifacts.append(artifact) except KeyError: - raise KeyError('\nformat string\n{}\nmatch data\n{}'.format(match_data_key, context)) + raise KeyError( + '\nformat string\n{}\nmatch data\n{}'.format( + match_data_key, context + ) + ) alert_config = { 'artifacts': artifacts, @@ -2142,7 +2648,7 @@ def alert(self, matches): 'customFields': {}, 'caseTemplate': None, 'title': '{rule[index]}_{rule[name]}'.format(**context), - 'date': int(time.time()) * 1000 + 'date': int(time.time()) * 1000, } alert_config.update(self.rule.get('hive_alert_config', {})) custom_fields = {} @@ -2150,11 +2656,16 @@ def alert(self, matches): if alert_config_field == 'customFields': n = 0 for cf_key, cf_value in alert_config_value.items(): - cf = {'order': n, cf_value['type']: cf_value['value'].format(**context)} + cf = { + 'order': n, + cf_value['type']: cf_value['value'].format(**context), + } n += 1 custom_fields[cf_key] = cf elif isinstance(alert_config_value, str): - alert_config[alert_config_field] = alert_config_value.format(**context) + alert_config[alert_config_field] = alert_config_value.format( + **context + ) elif isinstance(alert_config_value, (list, tuple)): formatted_list = [] for element in alert_config_value: @@ -2167,18 +2678,31 @@ def alert(self, matches): alert_config['customFields'] = custom_fields alert_body = json.dumps(alert_config, indent=4, sort_keys=True) - req = '{}:{}/api/alert'.format(connection_details['hive_host'], connection_details['hive_port']) - headers = {'Content-Type': 'application/json', 'Authorization': 'Bearer {}'.format(connection_details.get('hive_apikey', ''))} + req = '{}:{}/api/alert'.format( + connection_details['hive_host'], connection_details['hive_port'] + ) + headers = { + 'Content-Type': 'application/json', + 'Authorization': 'Bearer {}'.format( + connection_details.get('hive_apikey', '') + ), + } proxies = connection_details.get('hive_proxies', {'http': '', 'https': ''}) verify = connection_details.get('hive_verify', False) - response = requests.post(req, headers=headers, data=alert_body, proxies=proxies, verify=verify) + response = requests.post( + req, headers=headers, data=alert_body, proxies=proxies, verify=verify + ) if response.status_code != 201: - raise Exception('alert not successfully created in TheHive\n{}'.format(response.text)) + raise Exception( + 'alert not successfully created in TheHive\n{}'.format( + response.text + ) + ) def get_info(self): return { 'type': 'hivealerter', - 'hive_host': self.rule.get('hive_connection', {}).get('hive_host', '') + 'hive_host': self.rule.get('hive_connection', {}).get('hive_host', ''), } diff --git a/elastalert/loaders.py b/elastalert/loaders.py index 771194768..6989c02b2 100644 --- a/elastalert/loaders.py +++ b/elastalert/loaders.py @@ -77,6 +77,7 @@ class RulesLoader(object): 'servicenow': alerts.ServiceNowAlerter, 'alerta': alerts.AlertaAlerter, 'post': alerts.HTTPPostAlerter, + 'jwt_post': alerts.HTTPPostJWTAlerter, 'hivealerter': alerts.HiveAlerter } diff --git a/setup.py b/setup.py index 30ef9495f..71afc087c 100644 --- a/setup.py +++ b/setup.py @@ -48,6 +48,7 @@ 'texttable>=0.8.8', 'twilio>=6.0.0,<6.1', 'python-magic>=0.4.15', - 'cffi>=1.11.5' + 'cffi>=1.11.5', + 'PyJWT==1.7.1' ] ) From 3456723fc026cd8b1a4a8c390bfec1e9c3071a6d Mon Sep 17 00:00:00 2001 From: skyghost2210 Date: Tue, 18 Aug 2020 16:46:34 +0700 Subject: [PATCH 2/3] Fix typo --- elastalert/alerts.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/elastalert/alerts.py b/elastalert/alerts.py index 8749e5d4e..55331e333 100644 --- a/elastalert/alerts.py +++ b/elastalert/alerts.py @@ -1666,7 +1666,7 @@ def alert(self, matches): matches, ), 'summary': self.create_title(matches), - 'custom_details': {'information': body,}, + 'custom_details': {'information': body, }, }, } match_timestamp = lookup_es_key( @@ -1681,7 +1681,7 @@ def alert(self, matches): 'event_type': self.pagerduty_event_type, 'incident_key': self.get_incident_key(matches), 'client': self.pagerduty_client_name, - 'details': {"information": body,}, + 'details': {"information": body, }, } # set https proxy, if it was provided @@ -2397,7 +2397,7 @@ def get_info(self): class HTTPPostJWTAlerter(Alerter): - """ Requested elasticsearch indices are sent by HTTP POST. Encoded with JSON and ecrypted with JWT. """ + """ Requested elasticsearch indices are sent by HTTP POST. Encoded with JSON. """ def __init__(self, rule): super(HTTPPostJWTAlerter, self).__init__(rule) From 1d5a57bf011d06ccbb073232204072dc36ce2115 Mon Sep 17 00:00:00 2001 From: skyghost2210 <63850695+skyghost2210@users.noreply.github.com> Date: Thu, 7 Jan 2021 19:47:49 +0700 Subject: [PATCH 3/3] Update requirements.txt add PyJWT to requirements.txt --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index c66ca8d79..9580af7c4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -21,3 +21,4 @@ requests>=2.0.0 stomp.py>=4.1.17 texttable>=0.8.8 twilio==6.0.0 +PyJWT==1.7.1