#!/usr/bin/python3 # -*- coding: utf-8 -*- """ Part of RedELK This alarm always triggers. Only use for testing purposes. Authors: - Lorenzo Bernardi (@fastlorenzo) """ import logging from modules.helpers import get_initial_alarm_result, get_query info = { "version": 0.1, "name": "dummy alarm", "alarmmsg": "ALARM GENERATED BY DUMMY", "description": "This alarm always triggers. Only use for testing purposes.", "type": "redelk_alarm", "submodule": "alarm_dummy", } class Module: """dummy alarm module This check returns the last IOC in rtops-* that have not been alarmed yet """ def __init__(self): self.logger = logging.getLogger(info["submodule"]) def run(self): """Run the alarm module""" ret = get_initial_alarm_result() ret["info"] = info ret["fields"] = [ "agent.hostname", "@timestamp", "host.name", "user.name", "ioc.type", "file.name", "file.hash.md5", "ioc.domain", "c2.message", "alarm.alarm_filehash", ] ret["groupby"] = [] for result in self.alarm_dummy(): ret["hits"]["hits"].append(result) ret["mutations"][result["_id"]] = {"test": "extra_data"} ret["hits"]["total"] += 1 self.logger.info( "finished running module. result: %s hits", ret["hits"]["total"] ) self.logger.debug(ret) return ret def alarm_dummy(self): """This check returns the last IOC in rtops-* that have not been alarmed yet""" es_query = "c2.log.type:ioc AND NOT tags:alarm_*" es_results = get_query(es_query, 1, index="rtops-*") self.logger.debug(es_results) return es_results