Fix formatting matched arguments

2023-02-09 22:54:38 +00:00 · 2023-02-09 22:54:38 +00:00 · 2356c6bcd7
parent f4273e4453
commit 2356c6bcd7
2 changed files with 28 additions and 4 deletions
--- a/core/db/elastic.py
+++ b/core/db/elastic.py
@ -371,6 +371,8 @@ class ElasticsearchBackend(StorageBackend):
        """
        Check the results of a scheduled query for aggregations.
        """
+        if rule_object.aggs is None:
+            return result_map
        for index, (meta, result) in result_map.items():
            # Default to true, if no aggs are found, we still want to match
            match = True
--- a/core/lib/rules.py
+++ b/core/lib/rules.py
@ -103,7 +103,7 @@ def format_webhook(**kwargs):
    notify_message = {
        "rule_id": rule.id,
        "rule_name": rule.name,
-        "match": matched,
+        "matched": matched,
        "total_hits": total_hits,
        "index": index,
        "data": message,
@ -215,6 +215,25 @@ class NotificationRuleData(object):
                self.object.match[index] = False
        self.object.save()

+    def format_matched(self, messages):
+        matched = {}
+        for message in messages:
+            for field, value in self.data:
+                if field == "msg":
+                    # Allow partial matches for msg
+                    for msg in value:
+                        if "msg" in message:
+                            if msg.lower() in message["msg"].lower():
+                                matched[field] = msg
+                                # Break out of the msg matching loop
+                                break
+                    # Continue to next field
+                    continue
+                if field in message and message[field] in value:
+                    # Do exact matches for all other fields
+                    matched[field] = message[field]
+        return matched
+
    def store_match(self, index, match):
        """
        Store a match result.
@ -293,8 +312,9 @@ class NotificationRuleData(object):
        for agg_name, agg in aggs.items():
            print("ITER", agg_name, agg)
            # Already checked membership below
-            op, value = self.aggs[agg_name]
-            new_aggs[agg_name] = f"{agg['value']}{op}{value}"
+            if agg_name in self.aggs:
+                op, value = self.aggs[agg_name]
+                new_aggs[agg_name] = f"{agg['value']}{op}{value}"

        return new_aggs

@ -361,9 +381,11 @@ class NotificationRuleData(object):
            pass

        # We hit the return above if we don't need to notify
-        if "aggs" in meta and "matched" not in meta:
+        meta["matched"] = self.format_matched(message)
+        if "aggs" in meta:
            meta["matched"] = self.format_aggs(meta["aggs"])
            print("MATCHED", meta["matched"])
+
        rule_notify(self.object, index, message, meta)
        self.store_match(index, message)
        await self.ingest_matches(index, message, meta, mode)