search

mozilla-services / foxsec-pipeline

Log analysis pipeline utilizing Apache Beam
Mozilla Public License 2.0
25 stars 9 forks source link

Implement escalation metadata and alert suppression in Gatekeeper pipeline #175

Closed ameihm0912 closed 5 years ago

ameihm0912 commented 5 years ago

174 adds a pipeline for monitoring output from ETD and GD.

In the current state, the pipeline will generate alerts but it does not currently add any escalation metadata to the alerts that will result in special handling in AlertIO.

Example from the authentication pipeline:

https://github.com/mozilla-services/foxsec-pipeline/blob/7a27d9421f9ba44ccdbdd327de4c080690f68bbf/src/main/java/com/mozilla/secops/authprofile/AuthProfile.java#L255-L263

We will want to add a similar notification pipeline option to the gatekeeper pipeline and include this metadata option when we generate an alert if the option is set in the configuration, if the option is not set the pipeline will behave as it currently does.

We will also want to potentially look at hooking AlertSuppressor up to the end of the analysis transforms and suppressing possible repeated alerts to avoid generating a large number of escalation notifications under certain circumstances.

adrianosela commented 5 years ago

Update: Missing ETD alert suppressor