From 6eb65c522a6583235dfe3911abe09f76a0dd0f7c Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Tue, 23 Jul 2024 09:39:49 -0300 Subject: [PATCH 01/12] added falco webhook --- webhooks/falco/README.md | 95 ++++++++++++++++++++++++++ webhooks/falco/alerta_falco.py | 106 +++++++++++++++++++++++++++++ webhooks/falco/setup.py | 24 +++++++ webhooks/falco/test_falco.py | 120 +++++++++++++++++++++++++++++++++ 4 files changed, 345 insertions(+) create mode 100644 webhooks/falco/README.md create mode 100644 webhooks/falco/alerta_falco.py create mode 100644 webhooks/falco/setup.py create mode 100644 webhooks/falco/test_falco.py diff --git a/webhooks/falco/README.md b/webhooks/falco/README.md new file mode 100644 index 00000000..7b93f826 --- /dev/null +++ b/webhooks/falco/README.md @@ -0,0 +1,95 @@ +Falco Webhook +============== + +Receive [falco](https://falco.org/) alerts via `falcosidekick` webhook. + +For help, join [![Slack chat](https://img.shields.io/badge/chat-on%20slack-blue?logo=slack)](https://slack.alerta.dev) + +Falco webhook version support +------------------------------- + +[TBD] + +Installation +------------ + +Clone the GitHub repo and run: + + $ python setup.py install + +Or, to install remotely from GitHub run: + + $ pip install git+https://github.com/alerta/alerta-contrib.git#subdirectory=webhooks/falco + +Note: If Alerta is installed in a python virtual environment then plugins +need to be installed into the same environment for Alerta to dynamically +discover them. + +Configuration +------------- + +`falcosidekick` custom outputs is used here. + +Specifically, the `webhook` output. Read more [here](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webhook.md). + +First, an Api Key has to be set. It can be created in the UI, under "Api Keys" menu. + +Then, note a custom field is being used to identify environments. This is set in the installation with `customfields="environment:Development"`. Set the right environment for your Falco deployment here. + +Finally, if you are using Helm to install Falco, the webhook can be set like this: + +``` shell +helm install falco -n falco --set driver.kind=modern_ebpf --set tty=true falcosecurity/falco \ +--set falcosidekick.enabled=true \ +--set falcosidekick.config.webhook.address=":///api/webhooks/falco" \ +--set falcosidekick.config.webhook.minimumpriority=notice \ +--set falcosidekick.config.webhook.customHeaders="X-Api-Key: " \ +--set falcosidekick.config.webhook.mutualtls=false \ +--set falcosidekick.config.webhook.checkcert=false \ +--set falcosidekick.config.customfields="environment:Development" +``` + +FalcoSidekick payload example +----------------------------- + +This is an example of a payload sent by `falcosidekick`: + +``` json + { + "uuid": "06f73663-b1d4-42e4-b236-eacbd2b96998", + "output": "20:39:17.500016161: Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=containerd-shim command=sh -c uptime terminal=34816 exe_flags=EXE_WRITABLE container_id=9273d0110c4e container_image= container_image_tag= container_name= k8s_ns= k8s_pod_name=)", + "priority": "Notice", + "rule": "Terminal shell in container", + "time": "2024-07-16T20:39:17.500016161Z", + "output_fields": { + "container.id": "9273d0110c4e", + "container.image.repository": "None", + "container.image.tag": "None", + "container.name": "None", + "evt.arg.flags": "EXE_WRITABLE", + "evt.time": 1721162357500016161, + "evt.type": "execve", + "k8s.ns.name": "None", + "k8s.pod.name": "None", + "proc.cmdline": "sh -c uptime", + "proc.exepath": "/bin/busybox", + "proc.name": "sh", + "proc.pname": "containerd-shim", + "proc.tty": 34816, + "user": "jdelacamara", + "user.loginuid": -1, + "user.name": "root", + "user.uid": 0 + }, + "source": "syscall", + "tags": [ + "T1059", + "container", + "maturity_stable", + "mitre_execution", + "shell" + ], + "hostname": "nixos" + } +``` + diff --git a/webhooks/falco/alerta_falco.py b/webhooks/falco/alerta_falco.py new file mode 100644 index 00000000..324426af --- /dev/null +++ b/webhooks/falco/alerta_falco.py @@ -0,0 +1,106 @@ +from flask import current_app + +from alerta.app import alarm_model +from alerta.models.alert import Alert + +from alerta.webhooks import WebhookBase + +class FalcoWebhook(WebhookBase): + """ + Falco webhook + """ + + def incoming(self, query_string, payload): + + additional_tags = [] + additional_attributes = {} + + # checking fields + # + expected_fields = ['priority', 'hostname', 'rule', 'output_fields', 'source', 'output', 'tags'] + for field in expected_fields: + if not field in payload: + raise Exception(f'{field} not found in payload') + expected_fields_in_outputfields = ['environment'] + for field in expected_fields_in_outputfields: + if not field in payload['output_fields']: + raise Exception(f'{field} not found in payload->output_fields') + + # resource+event + # + # these are the fields used for de duplication, so we fill their values here + resource=f"{payload['hostname']}" + event = payload['rule'] + + # priority + # + # falco priorities: emergency, alert, critical, error, warning, notice, informational, debug + if payload['priority'].lower() in ['emergency', 'alert', 'critical', 'error']: + severity = 'critical' + elif payload['priority'].lower() in ['notice', 'informational', 'debug']: + severity = 'warning' + else: + severity = alarm_model.DEFAULT_NORMAL_SEVERITY + additional_attributes['falco_priority'] = payload['priority'] + + # environment + # + # we set a custom field environment in our setup + environment = current_app.config['DEFAULT_ENVIRONMENT'] + if 'output_fields' in payload and 'environment' in payload['output_fields']: + environment = payload['output_fields']['environment'] + + # attributes + # + attributes = additional_attributes + + # tags + if not type(payload['tags']) == list: + raise Exception('tags should be a list') + tags = additional_tags.extend(payload['tags']) + + # group + # + # how to group + group = f"{payload['rule']}-{payload['source']}" + + # value + # + value = payload['output'] + + # service + # + # service is a List + service = [ payload['source'] ] + + # origin + # + origin = f"{payload['hostname']}-{payload['source']}" + + # event type + # + # in this case is a Falco Alert + event_type = 'falcoAlert' + + # text + # + # the alert text + text = f"{severity}: {payload['output_fields']}" + + return Alert( + # alerta will group by these + resource=resource, + event=event, + # ################ + environment=environment, + severity=severity, + service=service, + group=group, + value=value, + text=text, + tags=tags, + origin=origin, + attributes=attributes, + event_type=event_type, + raw_data=payload + ) diff --git a/webhooks/falco/setup.py b/webhooks/falco/setup.py new file mode 100644 index 00000000..489cf627 --- /dev/null +++ b/webhooks/falco/setup.py @@ -0,0 +1,24 @@ +from setuptools import find_packages, setup + +version = '0.0.1' + +setup( + name='alerta-falco', + version=version, + description='Alerta webhook for Falco', + url='https://github.com/alerta/alerta-contrib', + license='MIT', + author='Juan Kungfoo @ binbash', + author_email='juan.delacamara@binbash.com.ar', + packages=find_packages(), + py_modules=['alerta_falco'], + install_requires=[ + ], + include_package_data=True, + zip_safe=True, + entry_points={ + 'alerta.webhooks': [ + 'falco = alerta_falco:FalcoWebhook' + ] + } +) diff --git a/webhooks/falco/test_falco.py b/webhooks/falco/test_falco.py new file mode 100644 index 00000000..d2f0e366 --- /dev/null +++ b/webhooks/falco/test_falco.py @@ -0,0 +1,120 @@ +import json +import unittest + +import alerta_falco +from alerta.app import create_app, custom_webhooks + + +class FalcoWebhookTestCase(unittest.TestCase): + + def setUp(self): + + test_config = { + 'TESTING': True, + 'AUTH_REQUIRED': False + } + self.app = create_app(test_config) + self.client = self.app.test_client() + custom_webhooks.webhooks['falco'] = alerta_falcowebhook.FalcoWebhook( + ) + + self.headers = { + 'Content-Type': 'application/json' + } + + self.alert_id = 'f0c55228-c61d-462a-9aeb-f6048d37fdf6' + + def test_falcowebhook(self): + + payload_cmd = """ + { + "uuid": "06f73663-b1d4-42e4-b236-eacbd2b96998", + "output": "20:39:17.500016161: Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=containerd-shim command=sh -c uptime terminal=34816 exe_flags=EXE_WRITABLE container_id=9273d0110c4e container_image= container_image_tag= container_name= k8s_ns= k8s_pod_name=)", + "priority": "Notice", + "rule": "Terminal shell in container", + "time": "2024-07-16T20:39:17.500016161Z", + "output_fields": { + "container.id": "9273d0110c4e", + "container.image.repository": "None", + "container.image.tag": "None", + "container.name": "None", + "evt.arg.flags": "EXE_WRITABLE", + "evt.time": 1721162357500016161, + "evt.type": "execve", + "k8s.ns.name": "None", + "k8s.pod.name": "None", + "proc.cmdline": "sh -c uptime", + "proc.exepath": "/bin/busybox", + "proc.name": "sh", + "proc.pname": "containerd-shim", + "proc.tty": 34816, + "user": "jdelacamara", + "user.loginuid": -1, + "user.name": "root", + "user.uid": 0 + }, + "source": "syscall", + "tags": [ + "T1059", + "container", + "maturity_stable", + "mitre_execution", + "shell" + ], + "hostname": "nixos" + } + """ + + # Missing alert_id + payload_invalidcmd = """ + { + "uuid": "06f73663-b1d4-42e4-b236-eacbd2b96998", + "time": "2024-07-16T20:39:17.500016161Z", + "output_fields": { + "container.id": "9273d0110c4e", + "container.image.repository": "None", + "container.image.tag": "None", + "container.name": "None", + "evt.arg.flags": "EXE_WRITABLE", + "evt.time": 1721162357500016161, + "evt.type": "execve", + "k8s.ns.name": "None", + "k8s.pod.name": "None", + "proc.cmdline": "sh -c uptime", + "proc.exepath": "/bin/busybox", + "proc.name": "sh", + "proc.pname": "containerd-shim", + "proc.tty": 34816, + "user": "jdelacamara", + "user.loginuid": -1, + "user.name": "root", + "user.uid": 0 + }, + "source": "syscall", + "tags": [ + "T1059", + "container", + "maturity_stable", + "mitre_execution", + "shell" + ], + "hostname": "nixos" + } + """ + + # ack with missing fields + response = self.client.post('/webhooks/falco', data=payload_invalidcmd % + 'ack', content_type='application/json', headers=self.headers) + self.assertEqual(response.status_code, 400) + data = json.loads(response.data.decode('utf-8')) + self.assertEqual(data['status'], 'error') + self.assertEqual(data['message'], 'Missing/invalid alert_id') + + # ack with bogus alert_id + response = self.client.post('/webhooks/falco', data=payload_cmd % ( + 'ack', '7a0e3ee1-fbaa-45th-isis-bogus'), content_type='application/json', headers=self.headers) + self.assertEqual(response.status_code, 400) + data = json.loads(response.data.decode('utf-8')) + self.assertEqual(data['status'], 'error') + self.assertEqual(data['message'], 'Missing/invalid alert_id') + From d02114495b0534701303f38e84f63b485cc7f1cb Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Tue, 23 Jul 2024 09:40:05 -0300 Subject: [PATCH 02/12] added falco webhook doc to readme.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index aec5d88e..d0d8a25f 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ Webhooks * [Slack](https://github.com/alerta/alerta/blob/master/alerta/webhooks/slack.py) * [Stackdriver](https://github.com/alerta/alerta/blob/master/alerta/webhooks/stackdriver.py) * [Telegram](https://github.com/alerta/alerta/blob/master/alerta/webhooks/telegram.py) + * [Falco](webhooks/falco) Tests ----- From 430f46c566b23a21e27478c3558814544c122515 Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Tue, 23 Jul 2024 11:52:08 -0300 Subject: [PATCH 03/12] fixed reamde --- webhooks/falco/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webhooks/falco/README.md b/webhooks/falco/README.md index 7b93f826..c02c8cfd 100644 --- a/webhooks/falco/README.md +++ b/webhooks/falco/README.md @@ -28,7 +28,7 @@ discover them. Configuration ------------- -`falcosidekick` custom outputs is used here. +`falcosidekick` custom outputs are used here. Specifically, the `webhook` output. Read more [here](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webhook.md). From 72a0d4bad39072a2ba6a57f573a2e8c64b005c70 Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Tue, 23 Jul 2024 11:53:33 -0300 Subject: [PATCH 04/12] improved readme --- webhooks/falco/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webhooks/falco/README.md b/webhooks/falco/README.md index c02c8cfd..afcc7db4 100644 --- a/webhooks/falco/README.md +++ b/webhooks/falco/README.md @@ -32,7 +32,7 @@ Configuration Specifically, the `webhook` output. Read more [here](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webhook.md). -First, an Api Key has to be set. It can be created in the UI, under "Api Keys" menu. +First, an Alerta Api Key has to be set. It can be created in the Alerta's UI, under "Api Keys" menu. Then, note a custom field is being used to identify environments. This is set in the installation with `customfields="environment:Development"`. Set the right environment for your Falco deployment here. From 607ea0bbae8f6b3c86928fc2cac3013881cf75e1 Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Tue, 23 Jul 2024 13:04:07 -0300 Subject: [PATCH 05/12] improved readme --- webhooks/falco/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/webhooks/falco/README.md b/webhooks/falco/README.md index afcc7db4..21a8048a 100644 --- a/webhooks/falco/README.md +++ b/webhooks/falco/README.md @@ -79,7 +79,8 @@ This is an example of a payload sent by `falcosidekick`: "user": "jdelacamara", "user.loginuid": -1, "user.name": "root", - "user.uid": 0 + "user.uid": 0, + "environment": "Development" }, "source": "syscall", "tags": [ From 9c4065d787e21afd128d9404c3cd73911b296357 Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Tue, 23 Jul 2024 13:04:19 -0300 Subject: [PATCH 06/12] improved tests --- webhooks/falco/test_falco.py | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/webhooks/falco/test_falco.py b/webhooks/falco/test_falco.py index d2f0e366..0367bd66 100644 --- a/webhooks/falco/test_falco.py +++ b/webhooks/falco/test_falco.py @@ -15,7 +15,7 @@ def setUp(self): } self.app = create_app(test_config) self.client = self.app.test_client() - custom_webhooks.webhooks['falco'] = alerta_falcowebhook.FalcoWebhook( + custom_webhooks.webhooks['falco'] = alerta_falco.FalcoWebhook( ) self.headers = { @@ -26,7 +26,7 @@ def setUp(self): def test_falcowebhook(self): - payload_cmd = """ + payload_cmd = r""" { "uuid": "06f73663-b1d4-42e4-b236-eacbd2b96998", "output": "20:39:17.500016161: Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=containerd-shim command=sh -c uptime terminal=34816 exe_flags=EXE_WRITABLE container_id=9273d0110c4e container_image= container_image_tag= container_name= k8s_ns= k8s_pod_name=)", @@ -51,7 +51,8 @@ def test_falcowebhook(self): "user": "jdelacamara", "user.loginuid": -1, "user.name": "root", - "user.uid": 0 + "user.uid": 0, + "environment": "Development" }, "source": "syscall", "tags": [ @@ -65,8 +66,8 @@ def test_falcowebhook(self): } """ - # Missing alert_id - payload_invalidcmd = """ + # Missing fields + payload_invalidcmd = r""" { "uuid": "06f73663-b1d4-42e4-b236-eacbd2b96998", "time": "2024-07-16T20:39:17.500016161Z", @@ -88,7 +89,8 @@ def test_falcowebhook(self): "user": "jdelacamara", "user.loginuid": -1, "user.name": "root", - "user.uid": 0 + "user.uid": 0, + "environment": "Development" }, "source": "syscall", "tags": [ @@ -103,18 +105,11 @@ def test_falcowebhook(self): """ # ack with missing fields - response = self.client.post('/webhooks/falco', data=payload_invalidcmd % - 'ack', content_type='application/json', headers=self.headers) - self.assertEqual(response.status_code, 400) + response = self.client.post('/webhooks/falco', data=payload_invalidcmd, content_type='application/json', headers=self.headers) + self.assertEqual(response.status_code, 500) data = json.loads(response.data.decode('utf-8')) - self.assertEqual(data['status'], 'error') - self.assertEqual(data['message'], 'Missing/invalid alert_id') - # ack with bogus alert_id - response = self.client.post('/webhooks/falco', data=payload_cmd % ( - 'ack', '7a0e3ee1-fbaa-45th-isis-bogus'), content_type='application/json', headers=self.headers) - self.assertEqual(response.status_code, 400) + # ack + response = self.client.post('/webhooks/falco', data=payload_cmd, content_type='application/json', headers=self.headers) + self.assertEqual(response.status_code, 201) data = json.loads(response.data.decode('utf-8')) - self.assertEqual(data['status'], 'error') - self.assertEqual(data['message'], 'Missing/invalid alert_id') - From e4566953465723c7374be4cff8256a1c83241f3e Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Wed, 7 Aug 2024 11:10:43 -0300 Subject: [PATCH 07/12] Increased setup version number --- webhooks/falco/setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webhooks/falco/setup.py b/webhooks/falco/setup.py index 489cf627..3af3b33b 100644 --- a/webhooks/falco/setup.py +++ b/webhooks/falco/setup.py @@ -1,6 +1,6 @@ from setuptools import find_packages, setup -version = '0.0.1' +version = '0.0.2' setup( name='alerta-falco', From 418d47543bfd91b6affd53cd1c92beda34d87c81 Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Wed, 7 Aug 2024 12:32:42 -0300 Subject: [PATCH 08/12] Made tags optional --- webhooks/falco/alerta_falco.py | 10 ++++++---- webhooks/falco/setup.py | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/webhooks/falco/alerta_falco.py b/webhooks/falco/alerta_falco.py index 324426af..101a10bf 100644 --- a/webhooks/falco/alerta_falco.py +++ b/webhooks/falco/alerta_falco.py @@ -17,7 +17,7 @@ def incoming(self, query_string, payload): # checking fields # - expected_fields = ['priority', 'hostname', 'rule', 'output_fields', 'source', 'output', 'tags'] + expected_fields = ['priority', 'hostname', 'rule', 'output_fields', 'source', 'output'] for field in expected_fields: if not field in payload: raise Exception(f'{field} not found in payload') @@ -55,9 +55,11 @@ def incoming(self, query_string, payload): attributes = additional_attributes # tags - if not type(payload['tags']) == list: - raise Exception('tags should be a list') - tags = additional_tags.extend(payload['tags']) + tags = [] + if 'tags' in payload and type(payload['tags']) == list: + tags = additional_tags.extend(payload['tags']) + else: + tags = additional_tags # group # diff --git a/webhooks/falco/setup.py b/webhooks/falco/setup.py index 3af3b33b..2f0331fb 100644 --- a/webhooks/falco/setup.py +++ b/webhooks/falco/setup.py @@ -1,6 +1,6 @@ from setuptools import find_packages, setup -version = '0.0.2' +version = '0.0.3' setup( name='alerta-falco', From 7dd9d8f40ea10a096db85ebb546e3c1e521b482a Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Wed, 7 Aug 2024 12:43:01 -0300 Subject: [PATCH 09/12] Added warning level --- webhooks/falco/alerta_falco.py | 2 +- webhooks/falco/setup.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/webhooks/falco/alerta_falco.py b/webhooks/falco/alerta_falco.py index 101a10bf..5a331ca3 100644 --- a/webhooks/falco/alerta_falco.py +++ b/webhooks/falco/alerta_falco.py @@ -37,7 +37,7 @@ def incoming(self, query_string, payload): # falco priorities: emergency, alert, critical, error, warning, notice, informational, debug if payload['priority'].lower() in ['emergency', 'alert', 'critical', 'error']: severity = 'critical' - elif payload['priority'].lower() in ['notice', 'informational', 'debug']: + elif payload['priority'].lower() in ['warning', 'notice', 'informational', 'debug']: severity = 'warning' else: severity = alarm_model.DEFAULT_NORMAL_SEVERITY diff --git a/webhooks/falco/setup.py b/webhooks/falco/setup.py index 2f0331fb..d5bfceec 100644 --- a/webhooks/falco/setup.py +++ b/webhooks/falco/setup.py @@ -1,6 +1,6 @@ from setuptools import find_packages, setup -version = '0.0.3' +version = '0.0.4' setup( name='alerta-falco', From 2507040b0d13a5a0651eb5d5c5d281730148c10e Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Tue, 13 Aug 2024 12:44:46 -0300 Subject: [PATCH 10/12] fixed style issues --- webhooks/falco/alerta_falco.py | 43 ++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/webhooks/falco/alerta_falco.py b/webhooks/falco/alerta_falco.py index 5a331ca3..78d02ce2 100644 --- a/webhooks/falco/alerta_falco.py +++ b/webhooks/falco/alerta_falco.py @@ -1,9 +1,8 @@ from flask import current_app - from alerta.app import alarm_model from alerta.models.alert import Alert +from alerta.webhooks import WebhookBase -from alerta.webhooks import WebhookBase class FalcoWebhook(WebhookBase): """ @@ -17,27 +16,47 @@ def incoming(self, query_string, payload): # checking fields # - expected_fields = ['priority', 'hostname', 'rule', 'output_fields', 'source', 'output'] + expected_fields = [ + 'priority', + 'hostname', + 'rule', + 'output_fields', + 'source', + 'output' + ] for field in expected_fields: - if not field in payload: + if field not in payload: raise Exception(f'{field} not found in payload') expected_fields_in_outputfields = ['environment'] for field in expected_fields_in_outputfields: - if not field in payload['output_fields']: + if field not in payload['output_fields']: raise Exception(f'{field} not found in payload->output_fields') # resource+event # - # these are the fields used for de duplication, so we fill their values here - resource=f"{payload['hostname']}" + # these are the fields used for de duplication, + # so we fill their values here + resource = f"{payload['hostname']}" event = payload['rule'] # priority # - # falco priorities: emergency, alert, critical, error, warning, notice, informational, debug - if payload['priority'].lower() in ['emergency', 'alert', 'critical', 'error']: + # falco priorities: + # emergency, alert, critical, error, warning, notice, + # informational, debug + if payload['priority'].lower() in [ + 'emergency', + 'alert', + 'critical', + 'error' + ]: severity = 'critical' - elif payload['priority'].lower() in ['warning', 'notice', 'informational', 'debug']: + elif payload['priority'].lower() in [ + 'warning', + 'notice', + 'informational', + 'debug' + ]: severity = 'warning' else: severity = alarm_model.DEFAULT_NORMAL_SEVERITY @@ -56,7 +75,7 @@ def incoming(self, query_string, payload): # tags tags = [] - if 'tags' in payload and type(payload['tags']) == list: + if 'tags' in payload and isinstance(payload['tags'], list): tags = additional_tags.extend(payload['tags']) else: tags = additional_tags @@ -73,7 +92,7 @@ def incoming(self, query_string, payload): # service # # service is a List - service = [ payload['source'] ] + service = [payload['source']] # origin # From 6d3ad70f577f1fd7ea886a4f53af7c4d1dddaebf Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Wed, 28 Aug 2024 16:05:09 -0300 Subject: [PATCH 11/12] Fixed styles --- webhooks/falco/README.md | 1 - webhooks/falco/alerta_falco.py | 2 +- webhooks/falco/test_falco.py | 6 ++++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/webhooks/falco/README.md b/webhooks/falco/README.md index 21a8048a..f52d384e 100644 --- a/webhooks/falco/README.md +++ b/webhooks/falco/README.md @@ -93,4 +93,3 @@ This is an example of a payload sent by `falcosidekick`: "hostname": "nixos" } ``` - diff --git a/webhooks/falco/alerta_falco.py b/webhooks/falco/alerta_falco.py index 78d02ce2..9188cde7 100644 --- a/webhooks/falco/alerta_falco.py +++ b/webhooks/falco/alerta_falco.py @@ -124,4 +124,4 @@ def incoming(self, query_string, payload): attributes=attributes, event_type=event_type, raw_data=payload - ) + ) diff --git a/webhooks/falco/test_falco.py b/webhooks/falco/test_falco.py index 0367bd66..6a70ea9c 100644 --- a/webhooks/falco/test_falco.py +++ b/webhooks/falco/test_falco.py @@ -105,11 +105,13 @@ def test_falcowebhook(self): """ # ack with missing fields - response = self.client.post('/webhooks/falco', data=payload_invalidcmd, content_type='application/json', headers=self.headers) + response = self.client.post('/webhooks/falco', data=payload_invalidcmd, + content_type='application/json', headers=self.headers) self.assertEqual(response.status_code, 500) data = json.loads(response.data.decode('utf-8')) # ack - response = self.client.post('/webhooks/falco', data=payload_cmd, content_type='application/json', headers=self.headers) + response = self.client.post( + '/webhooks/falco', data=payload_cmd, content_type='application/json', headers=self.headers) self.assertEqual(response.status_code, 201) data = json.loads(response.data.decode('utf-8')) From 4a6fbbbfdb1d7519643b2ff521eb2c043ea69b1e Mon Sep 17 00:00:00 2001 From: Juan Kungfoo de la Camara Date: Fri, 4 Oct 2024 10:19:40 -0300 Subject: [PATCH 12/12] As per failed pipelines, I run the precommit and it modified this isort file --- .isort.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.isort.cfg b/.isort.cfg index 327b5b08..c85fc637 100644 --- a/.isort.cfg +++ b/.isort.cfg @@ -1,2 +1,2 @@ [settings] -known_third_party = Queue,alerta,alerta_azuremonitor,alerta_msteamswebhook,alerta_sentry,alerta_slack,alertaclient,boto,cachetclient,consul,dateutil,dingtalkchatbot,flask,google,influxdb,jinja2,kombu,mailer,matterhook,mock,op5,pymsteams,pytest,pyzabbix,requests,settings,setuptools,telepot,twilio,yaml +known_third_party = Queue,alerta,alerta_azuremonitor,alerta_falco,alerta_msteamswebhook,alerta_sentry,alerta_slack,alertaclient,boto,cachetclient,consul,dateutil,dingtalkchatbot,flask,google,influxdb,jinja2,kombu,mailer,matterhook,mock,op5,pymsteams,pytest,pyzabbix,requests,settings,setuptools,telepot,twilio,yaml