Documentation ¶
Index ¶
- Constants
- type ActionType
- type Alert
- func (a *Alert) GetMetadata(key string) string
- func (a *Alert) GuarddutyMarkdownFormat() string
- func (a *Alert) IsStatus(s string) bool
- func (a *Alert) MarkdownFormat() string
- func (a *Alert) OlderThan(dur time.Duration) bool
- func (a *Alert) PrettyPrint() string
- func (a *Alert) SetMetadata(key, value string)
- type AlertMeta
- type BugResp
- type BugzillaClient
- func (bc *BugzillaClient) AddAlertsToBug(bugId int, alerts []*Alert) error
- func (bc *BugzillaClient) CreateBugFromAlerts(assignedTo, category string, alerts []*Alert) (int, error)
- func (bc *BugzillaClient) CreateDefaultBugzillaRequest(method string, url string, body io.Reader) (*http.Request, error)
- func (bc *BugzillaClient) SearchBugs(searchValues url.Values) (*SearchBugResponse, error)
- func (bc *BugzillaClient) UpdateBug(bugId int, updateReq *UpdateBugReq) error
- type BugzillaConfig
- type BugzillaErrorResponse
- type Configuration
- type CreateBug
- type CreateComment
- type DBClient
- func (db *DBClient) Close() error
- func (db *DBClient) DeleteAlert(ctx context.Context, alert *Alert) error
- func (db *DBClient) DeleteExemptedObject(ctx context.Context, ExemptedObject *ExemptedObject) error
- func (db *DBClient) ExemptedObjectKey(exemptedObj *ExemptedObject) *datastore.Key
- func (db *DBClient) GetAlert(ctx context.Context, alertId string) (*Alert, error)
- func (db *DBClient) GetAllAlerts(ctx context.Context) ([]*Alert, error)
- func (db *DBClient) GetAllExemptedObjects(ctx context.Context) ([]*ExemptedObject, error)
- func (db *DBClient) RemoveAlertsOlderThan(ctx context.Context, timeAgo time.Duration) error
- func (db *DBClient) RemoveExpiredExemptedObjects(ctx context.Context) error
- func (db *DBClient) SaveAlert(ctx context.Context, alert *Alert) error
- func (db *DBClient) SaveExemptedObject(ctx context.Context, ExemptedObject *ExemptedObject) error
- type EscalationMailer
- type ExemptedObject
- type InteractionData
- type IprepdInstance
- type KMSClient
- type SESClient
- type SearchBug
- type SearchBugResponse
- type SlashCommandData
- type StateField
- type TriggerData
- type UpdateBugReq
Constants ¶
const ( ALERT_NEW = "NEW" ALERT_ACKNOWLEDGED = "ACKNOWLEDGED" ALERT_ESCALATED = "ESCALATED" ESCALATE_TO = "escalate_to" )
const ( META_ADDON_FILENAME = "addon_filename" META_ADDON_FROM_API = "addon_from_api" META_ADDON_GUID = "addon_guid" META_ADDON_ID = "addon_id" META_ADDON_SIZE = "addon_size" META_ADDON_UPLOAD_HASH = "addon_upload_hash" META_ADDON_USER_ID = "addon_user_id" META_ADDON_VERSION = "addon_version" META_ALERT_HANDLING_SEVERITY = "alert_handling_severity" META_ALERT_NOTIFICATION_TYPE = "alert_notification_type" META_ALERT_SUBCATEGORY_FIELD = "category" META_ALERTIO_IGNORE_EVENT = "alertio_ignore_event" META_AUTH_ALERT_TYPE = "auth_alert_type" META_AWS_ACCOUNT_ID = "aws_account_id" META_AWS_ACCOUNT_NAME = "aws_account_name" META_AWS_REGION = "aws_region" META_BYTES = "bytes" META_COUNT = "count" META_DESCRIPTION = "description" META_DOC_LINK = "doc_link" META_EMAIL = "email" META_EMAIL_CONTACT = "email_contact" META_EMAIL_SIMILAR = "email_similar" META_END = "end" META_ENDPOINT = "endpoint" META_ENDPOINT_PATTERN = "endpoint_pattern" META_ENTRY_KEY = "entry_key" META_ERROR_COUNT = "error_count" META_ERROR_THRESHOLD = "error_threshold" META_ESCALATE_TO = "escalate_to" META_EVENT_TIMESTAMP = "event_timestamp" META_EVENT_TIMESTAMP_SOURCE_LOCAL = "event_timestamp_source_local" META_FINDING_ID = "finding_id" META_FINDING_TYPE = "finding_type" META_IDENTITY_KEY = "identity_key" META_IDENTITY_UNTRACKED = "identity_untracked" META_INDICATOR = "indicator" META_INSTANCE_NAME = "instance_name" META_IPREPD_EXEMPT = "iprepd_exempt" META_IPREPD_EXEMPT_CREATED_BY = "iprepd_exempt_created_by" META_IPREPD_SUPPRESS_RECOVERY = "iprepd_suppress_recovery" META_KM_DISTANCE = "km_distance" META_MATCHED_METADATA_KEY = "matched_metadata_key" META_MATCHED_METADATA_VALUE = "matched_metadata_value" META_MATCHED_OBJECT = "matched_object" META_MATCHED_TYPE = "matched_type" META_MEAN = "mean" META_METHOD = "method" META_MONITORED_RESOURCE = "monitored_resource" META_NOTIFY_EMAIL_DIRECT = "notify_email_direct" META_NOTIFY_MERGE = "notify_merge" META_NOTIFY_MERGED_COUNT = "notify_merged_count" META_NOTIFY_SLACK_DIRECT = "notify_slack_direct" META_NOTIFY_SLACK_SUPPLEMENTARY = "notify_slack_supplementary" META_OBJECT = "object" META_PROJECT_ID = "project_id" META_PROJECT_NUMBER = "project_number" META_PROVIDER = "provider" META_REAL_ADDRESS_HASH_ACTUAL = "real_address_hash_actual" META_REAL_ADDRESS_HASH_EXPECTED = "real_address_hash_expected" META_REFERENCE_ID = "reference_id" META_REQUEST_THRESHOLD = "request_threshold" META_RESOURCE = "resource" META_RESTRICTED_VALUE = "restricted_value" META_RULE_NAME = "rule_name" META_SLACK_SUPPLEMENTARY_MESSAGE = "slack_supplementary_message" META_SOURCE_ALERT = "source_alert" META_SOURCEADDRESS_AS_ORG = "sourceaddress_as_org" META_SOURCEADDRESS_ASN = "sourceaddress_asn" META_SOURCEADDRESS_CITY = "sourceaddress_city" META_SOURCEADDRESS_COUNTRY = "sourceaddress_country" META_SOURCEADDRESS_IS_ANONYMOUS = "sourceaddress_is_anonymous" META_SOURCEADDRESS_IS_ANONYMOUS_VPN = "sourceaddress_is_anonymous_vpn" META_SOURCEADDRESS_IS_HOSTING_PROVIDER = "sourceaddress_is_hosting_provider" META_SOURCEADDRESS_IS_LEGITIMATE_PROXY = "sourceaddress_is_legitimate_proxy" META_SOURCEADDRESS_IS_PUBLIC_PROXY = "sourceaddress_is_public_proxy" META_SOURCEADDRESS_IS_TOR_EXIT_NODE = "sourceaddress_is_tor_exit_node" META_SOURCEADDRESS_ISP = "sourceaddress_isp" META_SOURCEADDRESS_PREVIOUS_AS_ORG = "sourceaddress_previous_as_org" META_SOURCEADDRESS_PREVIOUS_ASN = "sourceaddress_previous_asn" META_SOURCEADDRESS_PREVIOUS_CITY = "sourceaddress_previous_city" META_SOURCEADDRESS_PREVIOUS_COUNTRY = "sourceaddress_previous_country" META_SOURCEADDRESS_PREVIOUS_ISP = "sourceaddress_previous_isp" META_SOURCEADDRESS_RISKSCORE = "sourceaddress_riskscore" META_SOURCEADDRESS_TIMEZONE = "sourceaddress_timezone" META_SOURCEADDRESSES = "sourceaddresses" META_START = "start" META_STATE_ACTION_TYPE = "state_action_type" META_STATUS = "status" META_TECHNIQUE = "technique" META_TEMPLATE_NAME_EMAIL = "template_name_email" META_TEMPLATE_NAME_SLACK = "template_name_slack" META_TEMPLATE_NAME_SLACK_CATCHALL = "template_name_slack_catchall" META_THRESHOLD = "threshold" META_THRESHOLD_MODIFIER = "threshold_modifier" META_TIME_DELTA_SECONDS = "time_delta_seconds" META_TOTAL_ADDRESS_COUNT = "total_address_count" META_TOTAL_ALERT_COUNT = "total_alert_count" META_UID = "uid" META_USERAGENT = "useragent" META_USERNAME = "username" META_URL_TO_FINDING = "url_to_finding" META_WATCHLIST_CREATED_BY = "watchlist_created_by" META_WINDOW_TIMESTAMP = "window_timestamp" META_SOURCEADDRESS = "sourceaddress" META_SOURCEADDRESS_PREVIOUS = "sourceaddress_previous" )
const ( ALERT_NAMESPACE = "alerts" ALERT_KIND = ALERT_NAMESPACE EXEMPTED_OBJ_NAMESPACE = "exempted_object" )
const ( IP_TYPE = "ip" EMAIL_TYPE = "email" )
const ASSIGNED = "ASSIGNED"
const (
EMAIL_CHAR_SET = "UTF-8"
)
const REOPENED = "REOPENED"
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ActionType ¶
type ActionType string
const ( SlashCommand ActionType = "slash_command" Interaction ActionType = "interaction" ScheduledTask ActionType = "scheduled_task" )
type Alert ¶
type Alert struct { Id string `json:"id"` Severity string `json:"severity"` Category string `json:"category"` Summary string `json:"summary"` Payload string `json:"payload"` Metadata []*AlertMeta `json:"metadata"` Timestamp time.Time `json:"timestamp"` }
func StateToAlert ¶
func StateToAlert(sf *StateField) (*Alert, error)
func (*Alert) GetMetadata ¶
func (*Alert) GuarddutyMarkdownFormat ¶
Used by `bugzilla-alert-manager` to format guardduty alerts within Bugzilla bug description/comments.
Example of output:
#### Core Alert Info Finding Type: <> Finding URL: <> Finding ID: <> AWS Account Name: <> AWS Account ID: <> Finding Description: <> #### Fraud Pipeline Info Id: <> Summary: <> Severity: <> Category: <> Timestamp: <> ### Metadata ....
func (*Alert) MarkdownFormat ¶
func (*Alert) PrettyPrint ¶
func (*Alert) SetMetadata ¶
type BugzillaClient ¶
type BugzillaClient struct { Config BugzillaConfig Url string }
func NewBugzillaClient ¶
func NewBugzillaClient(c BugzillaConfig, url string) *BugzillaClient
func (*BugzillaClient) AddAlertsToBug ¶
func (bc *BugzillaClient) AddAlertsToBug(bugId int, alerts []*Alert) error
func (*BugzillaClient) CreateBugFromAlerts ¶
func (bc *BugzillaClient) CreateBugFromAlerts(assignedTo, category string, alerts []*Alert) (int, error)
func (*BugzillaClient) CreateDefaultBugzillaRequest ¶
func (*BugzillaClient) SearchBugs ¶
func (bc *BugzillaClient) SearchBugs(searchValues url.Values) (*SearchBugResponse, error)
func (*BugzillaClient) UpdateBug ¶
func (bc *BugzillaClient) UpdateBug(bugId int, updateReq *UpdateBugReq) error
type BugzillaConfig ¶
type BugzillaErrorResponse ¶
type Configuration ¶
type Configuration struct { Environment string `yaml:"env,omitempty"` GCPProjectId string `yaml:"gcp_project_id"` AwsAccessKeyId string `yaml:"aws_access_key_id"` AwsSecretAccessKey string `yaml:"aws_secret_access_key"` AwsRegion string `yaml:"aws_region"` SesSenderEmail string `yaml:"ses_sender_email"` DefaultEscalationEmail string `yaml:"default_escalation_email"` AlertEscalationTTL time.Duration `yaml:"alert_escalation_ttl"` EmergencyCcEmail string `yaml:"emergency_cc_email"` SlackAuthToken string `yaml:"slack_auth_token"` SlackChannelId string `yaml:"slack_channel_id"` SlackSigningSecret string `yaml:"slack_signing_secret"` SlackbotTriggerTopicName string `yaml:"slackbot_trigger_topic_name"` PersonsClientId string `yaml:"persons_client_id"` PersonsClientSecret string `yaml:"persons_client_secret"` PersonsBaseURL string `yaml:"persons_base_url"` PersonsAuth0URL string `yaml:"persons_auth0_url"` AllowedLDAPGroups []string `yaml:"allowed_ldap_groups"` IprepdInstances []IprepdInstance `yaml:"iprepd_instances"` Auth0Domain string `yaml:"auth0_domain"` Auth0ClientId string `yaml:"auth0_client_id"` Auth0ClientSecret string `yaml:"auth0_client_secret"` PagerdutyAuthToken string `yaml:"pagerduty_auth_token"` PagerdutyTicketDutyScheduleId string `yaml:"pagerduty_ticket_duty_schedule_id"` BugzillaConfig BugzillaConfig `yaml:"bugzilla_config"` DuoAPIHost string `yaml:"duo_api_host"` DuoIntegrationKey string `yaml:"duo_integration_key"` DuoSecretKey string `yaml:"duo_secret_key"` PapertrailApiToken string `yaml:"papertrail_api_token"` PapertrailQuery string `yaml:"papertrail_query"` }
Configuration is a generic config structure for lambda functions and cloudfunctions. The LoadFrom function will load a yaml file in from either a local file or from GCS. If it is encrypted with sops, it will decrypt it.
func (*Configuration) LoadFrom ¶
func (c *Configuration) LoadFrom(path string) error
type CreateBug ¶
type CreateBug struct { Product string `json:"product"` Version string `json:"version"` Component string `json:"component"` Summary string `json:"summary"` Alias string `json:"alias"` Description string `json:"description"` AssignedTo string `json:"assigned_to"` Blocks string `json:"blocks"` Type string `json:"type"` Groups []string `json:"groups"` Whiteboard string `json:"whiteboard"` }
type CreateComment ¶
type DBClient ¶
type DBClient struct {
// contains filtered or unexported fields
}
func (*DBClient) DeleteAlert ¶
func (*DBClient) DeleteExemptedObject ¶
func (db *DBClient) DeleteExemptedObject(ctx context.Context, ExemptedObject *ExemptedObject) error
func (*DBClient) ExemptedObjectKey ¶
func (db *DBClient) ExemptedObjectKey(exemptedObj *ExemptedObject) *datastore.Key
func (*DBClient) GetAllAlerts ¶
func (*DBClient) GetAllExemptedObjects ¶
func (db *DBClient) GetAllExemptedObjects(ctx context.Context) ([]*ExemptedObject, error)
func (*DBClient) RemoveAlertsOlderThan ¶
func (*DBClient) RemoveExpiredExemptedObjects ¶
func (*DBClient) SaveExemptedObject ¶
func (db *DBClient) SaveExemptedObject(ctx context.Context, ExemptedObject *ExemptedObject) error
type EscalationMailer ¶
type EscalationMailer interface { SendEscalationEmail(alert *Alert) error Send911Email(caller string, ccAddress string, msg string) error DefaultEscalationEmail() string }
EscalationMailer formats and sends necessary emails for notifications
type ExemptedObject ¶
type ExemptedObject struct { Object string `json:"object"` Type string `json:"type"` ExpiresAt time.Time `json:"expires_at"` CreatedBy string `json:"created_by"` }
func NewExemptedObject ¶
func StateToExemptedObject ¶
func StateToExemptedObject(sf *StateField) (*ExemptedObject, error)
func (*ExemptedObject) IsExpired ¶
func (eo *ExemptedObject) IsExpired() bool
type InteractionData ¶
type IprepdInstance ¶
type KMSClient ¶
type KMSClient struct {
// contains filtered or unexported fields
}
func NewKMSClient ¶
func (*KMSClient) DecryptEnvVar ¶
type SESClient ¶
type SESClient struct {
// contains filtered or unexported fields
}
func NewSESClient ¶
func NewSESClientFromConfig ¶
func NewSESClientFromConfig(config *Configuration) (*SESClient, error)
func (*SESClient) DefaultEscalationEmail ¶
DefaultEscalationEmail returns the default value to which emails are sent
func (*SESClient) Send911Email ¶
Send911Email sends an email notification to the default escalation email with a message from the slack slash command invocation
func (*SESClient) SendEscalationEmail ¶
SendEscalationEmail sends an email notification with an alert that needs to be escalated
type SearchBugResponse ¶
type SearchBugResponse struct {
Bugs []BugResp `json:"bugs"`
}
This is only a very small subset of what is returned by Bugzilla. Feel free to add new values as needed. Full response example can be seen here:
https://bugzilla.readthedocs.io/en/latest/api/core/v1/bug.html#rest-single-bug
func (SearchBugResponse) Len ¶
func (sr SearchBugResponse) Len() int
func (SearchBugResponse) Less ¶
func (sr SearchBugResponse) Less(i, j int) bool
func (SearchBugResponse) Swap ¶
func (sr SearchBugResponse) Swap(i, j int)
type SlashCommandData ¶
type StateField ¶
type StateField struct {
State string `datastore:"state,noindex" json:"state"`
}
func AlertToState ¶
func AlertToState(a *Alert) (*StateField, error)
func ExemptedObjectToState ¶
func ExemptedObjectToState(eobj *ExemptedObject) (*StateField, error)
type TriggerData ¶
type TriggerData struct { Action ActionType `json:"action_type"` SlashCommand SlashCommandData `json:"slash_command,omitempty"` Interaction InteractionData `json:"interaction,omitempty"` }
func PubSubMessageToTriggerData ¶
func PubSubMessageToTriggerData(psmsg pubsub.Message) (*TriggerData, error)
func (*TriggerData) ToPubSubMessage ¶
func (td *TriggerData) ToPubSubMessage() (*pubsub.Message, error)
type UpdateBugReq ¶
type UpdateBugReq struct {
Status string `json:"status"`
}