Merge pull request #65 from Snowflake-Labs/add_custom_correlation_period

Add support for correlation periods for alerts
Snowflake-Labs · Jul 17, 2023 · cc05344 · cc05344
2 parents a29fe6e + bdbba6b
commit cc05344
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 7 deletions.
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -153,7 +153,7 @@ variable "snowalert_user_email" {
 variable "snowalert_warehouse_size" {
   type        = string
   description = "Warehouse size."
-  default     = "X-Small"
+  default     = "XSMALL"
 }
 
 variable "alerts_merge_schedule" {

diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf
@@ -153,7 +153,7 @@ variable "snowalert_user_email" {
 variable "snowalert_warehouse_size" {
   type        = string
   description = "Warehouse size."
-  default     = "X-Small"
+  default     = "XSMALL"
 }
 
 variable "alerts_merge_schedule" {

diff --git a/functions.tf b/functions.tf
@@ -338,3 +338,33 @@ depends_on = [
   module.snowalert_grants
 ]
 }
+
+resource "snowflake_function" "convert_time_period_to_seconds" {
+  provider = snowflake.security_alerting_role
+
+  database = local.snowalert_database_name
+  schema   = local.data_schema
+  name     = "CONVERT_TIME_PERIOD_TO_SECONDS"
+
+  arguments {
+      name = "PERIOD"
+      type = "VARCHAR"
+  }
+
+  return_type = "FLOAT"
+  language    = "javascript"
+  statement   = <<javascript
+var value = parseInt(PERIOD.match(/\d+/)[0]);
+var unit = PERIOD.toLowerCase().match(/[a-z]/)[0];
+return value * (
+  unit == 'm' ? 60 :
+  unit == 'h' ? 60*60 :
+  unit == 'd' ? 60*60*24 :
+  1
+)
+javascript
+
+  depends_on = [
+    module.snowalert_grants
+  ]
+}
diff --git a/procedures.tf b/procedures.tf
@@ -83,6 +83,11 @@ resource "snowflake_procedure" "alert_processor_with_default_correlation_period"
       local.results_schema,
       local.alerts_table,
     ])
+    data_convert_time_period_to_seconds_function = join(".", [
+      local.snowalert_database_name,
+      local.data_schema,
+      snowflake_function.convert_time_period_to_seconds.name,
+    ])
   })
 
   depends_on = [
@@ -111,6 +116,11 @@ resource "snowflake_procedure" "alert_processor_with_custom_correlation_period"
       local.results_schema,
       local.alerts_table,
     ])
+    data_convert_time_period_to_seconds_function = join(".", [
+      local.snowalert_database_name,
+      local.data_schema,
+      snowflake_function.convert_time_period_to_seconds.name,
+    ])
   })
 
   depends_on = [

diff --git a/procedures_js/alert_processor.js b/procedures_js/alert_processor.js
@@ -1,7 +1,7 @@
 //args
 var CORRELATION_PERIOD_MINUTES
 
-CORRELATION_PERIOD_MINUTES = CORRELATION_PERIOD_MINUTES || -60
+CORRELATION_PERIOD_MINUTES = CORRELATION_PERIOD_MINUTES || '60 minutes'
 
 var alert_correlation_result_array = []
 
@@ -34,7 +34,11 @@ WHERE alert:ACTOR = ?
   AND correlation_id IS NOT NULL
   AND NOT IS_NULL_VALUE(alert:ACTOR)
   AND suppressed = FALSE
-  AND event_time > DATEADD(minutes, $${CORRELATION_PERIOD_MINUTES}, ?)
+  AND event_time > DATEADD(
+    seconds,
+    - ${data_convert_time_period_to_seconds_function}(COALESCE(alert:CORRELATION_PERIOD, '$${CORRELATION_PERIOD_MINUTES}')),
+    ?
+  )
 ORDER BY event_time DESC
 LIMIT 1
 `
@@ -79,7 +83,11 @@ WHERE correlation_id IS NULL
 UPDATE_ALERT_CORRELATION_ID = `
 UPDATE ${results_alerts_table}
 SET correlation_id = COALESCE(?, UUID_STRING())
-WHERE alert:EVENT_TIME > DATEADD(minutes, $${CORRELATION_PERIOD_MINUTES}, ?)
+WHERE alert:EVENT_TIME > DATEADD(
+    seconds, 
+    - ${data_convert_time_period_to_seconds_function}(COALESCE(alert:CORRELATION_PERIOD, '$${CORRELATION_PERIOD_MINUTES}')), 
+    ?
+  )
   AND alert:ALERT_ID = ?
 `
 

diff --git a/procedures_js/alert_queries_runner.js b/procedures_js/alert_queries_runner.js
@@ -34,6 +34,10 @@ function fillArray(value, len) {
   return arr
 }
 
+function defaultNullReference(columnAndType) {
+  return `IFNULL(OBJECT_CONSTRUCT(*):` + columnAndType + `, PARSE_JSON('null'))`
+}
+
 const RUN_ID = Math.random().toString(36).substring(2).toUpperCase()
 const RAW_ALERTS_TABLE = `${results_raw_alerts_table}`
 
@@ -61,7 +65,10 @@ SELECT '$${RUN_ID}' run_id
       'DETECTOR', IFNULL(DETECTOR::VARIANT, PARSE_JSON('null')),
       'EVENT_DATA', IFNULL(EVENT_DATA::VARIANT, PARSE_JSON('null')),
       'SEVERITY', IFNULL(SEVERITY::VARIANT, PARSE_JSON('null')),
-      'HANDLERS', IFNULL(OBJECT_CONSTRUCT(*):HANDLERS::VARIANT, PARSE_JSON('null'))
+      'HANDLERS', $${defaultNullReference('HANDLERS::VARIANT')},
+      'CORRELATION_PERIOD', $${defaultNullReference(
+        'CORRELATION_PERIOD::VARIANT'
+      )}
   ) AS alert
   , alert_time
   , event_time

diff --git a/variables.tf b/variables.tf
@@ -187,7 +187,7 @@ variable "servicenow_api_url" {
 variable "snowalert_warehouse_size" {
   type        = string
   description = "Warehouse size."
-  default     = "X-Small"
+  default     = "XSMALL"
 }
 
 variable "alerts_merge_schedule" {