def group_hits()

in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/alarm_filehash/module.py [0:0]

• 28 lines of code
• 13 McCabe index (conditional complexity)

    def group_hits(self, iocs, already_alarmed, already_checked):
        """Returns all hits grouped by md5 hash"""
        md5_dict = {}
        md5_should_check = {}

        # Group all hits per md5 hash value
        for ioc in iocs:
            md5 = get_value("_source.file.hash.md5", ioc)
            if md5 in md5_dict:
                md5_dict[md5].append(ioc)
            else:
                md5_dict[md5] = [ioc]

            should_check = True
            # Check if the IOC has already been alarmed
            if md5 in already_alarmed:
                # Skip it
                should_check = False
                # Set the last checked date
                add_alarm_data(ioc, {}, info["submodule"], False)
                # Tag the doc as alarmed
                set_tags(info["submodule"], [ioc])

            # Check if the IOC has already been checked within 'interval'
            if md5 in already_checked:
                # Skip if for now
                should_check = False

            if md5 in md5_should_check:
                md5_should_check[md5] = should_check & md5_should_check[md5]
            else:
                md5_should_check[md5] = should_check
            # self.logger.debug('Should check: %s' % md5ShouldCheck[h])

        for md5 in dict.copy(md5_dict):
            # If we should not check the hash, remove it from the list
            if md5 in md5_should_check and not md5_should_check[md5]:
                self.logger.debug(
                    "[%s] md5 hash already checked within interval or already alarmed previously, skipping",
                    md5,
                )
                del md5_dict[md5]

        return md5_dict