cloudmarker.alerts package

A package for alert plugins packaged with this project.

This package contains alert plugins that are packaged as part of this project. The alert plugins implement a function named write() that accepts input records and typically sends them to an alerting destination. The alert plugins also implement a function named done that perform cleanup work when called.

Note that the alert plugins implement the exact same interface as the store plugins in the cloudmarker.stores package. So a store plugin can usually serve equally well as an alert plugin, and vice versa. In fact, some of the store plugins such as cloudmarker.stores.esstore.EsStore and cloudmarker.stores.mongodbstore.MongoDBStore are indeed used as alert plugins too because security events can be alerted by storing them in an Elasticsearch index or MongoDB collection.

If a plugin can serve as both a store plugin and an alert plugin, we keep them in the cloudmarker.stores package. If a plugin makes sense only as an alert plugin, we keep them in this cloudmarker.alerts package.

Submodules

cloudmarker.alerts.emailalert module

Email alert plugin.

class cloudmarker.alerts.emailalert.EmailAlert(**kwargs)

Bases: object

A plugin to send email alerts.

Create an instance of EmailAlert plugin.

This class accepts the same arguments as cloudmarker.util.send_email().

The content argument is not honoured. Even if a content argument is provided, it is ignored by this class because this class defines its own content from the event records it receives in its write() method.

done()

Send the buffered events as an email alert.

write(record)

Save event record in a buffer.

Parameters:record (dict) – An event record.

cloudmarker.alerts.slackalert module

Alerter to send Slack messages for identified anomalies.

class cloudmarker.alerts.slackalert.SlackAlert(bot_user_token, to, text, temp_file='/tmp/cloudmarker/slackalert.json')

Bases: object

Alert plugin to send Slack alerts.

Initialize the class:SlackAlert.

Parameters:
  • bot_user_token (string) – Token for Slack bot user.
  • to (list) – List of recipients (string) to send Slack alert to.
  • text (string) – Message body.
  • temp_file (string) – Name of file to be used to save interim JSON record which will be used to attach as report to Slack message.
done()

Write the JSON data to a file and send alert.

This function writes the JSON data to a file. The created JSON file will be used by self._post_message method to send the file as an attachment.

write(record)

Write records to in memory buffer.

This method will collate all the records in the list self._slack_report only.

Parameters:record (list) – Records generated by Events plugin.