Skip to content

Commit

Permalink
add new dedup logic
Browse files Browse the repository at this point in the history
  • Loading branch information
ben-githubs committed Nov 25, 2024
1 parent d02d3e7 commit b21def5
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 2 deletions.
9 changes: 7 additions & 2 deletions rules/wiz_rules/wiz_alert_passthrough.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,17 @@ def title(event):


def severity(event):
# if event.get("severity") == "INFORMATIONAL":
# return "INFO"
return event.get("severity")


def dedup(event):
# For lower-severity events, dedup based on specific source rule to reduce overall alert volume
if event.get("severity") in ("INFO", "LOW"):
dedup_str = str(event.deep_get("sourceRule", "id"))
if dedup_str:
return dedup_str
# If the severity is higher, or for some reason we couldn't generate a dedup string based on
# the source rule, then use the alert severity + the resource ID itself.
return event.deep_get(
"entitySnapshot", "externalId", default="<RESOURCE_NOT_FOUND>"
) + event.get("severity", "<SEVERITY_NOT_FOUND>")
Expand Down
66 changes: 66 additions & 0 deletions rules/wiz_rules/wiz_alert_passthrough.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,72 @@ Tests:
"type": "TOXIC_COMBINATION",
"updatedAt": "2024-06-04 02:28:06.763277000"
}
- Name: Low-Severity Open Alert
ExpectedResult: true
Log:
{
"createdAt": "2024-06-04 02:28:06.763277000",
"entitySnapshot": {
"cloudProviderURL": "",
"externalId": "someExternalId",
"id": "12345",
"name": "someName",
"nativeType": "",
"providerId": "someProviderId",
"region": "",
"resourceGroupExternalId": "",
"subscriptionExternalId": "",
"subscriptionName": "",
"tags": { },
"type": "DATA_FINDING"
},
"id": "54321",
"notes": [ ],
"projects": [
{
"businessUnit": "",
"id": "45678",
"name": "Project 2",
"riskProfile": {
"businessImpact": "MBI"
},
"slug": "project-2"
},
],
"serviceTickets": [ ],
"severity": "LOW",
"sourceRule": {
"__typename": "Control",
"controlDescription": "Alert Description",
"id": "12345",
"name": "Alert Name",
"resolutionRecommendation": "Alert Resolution Recommendation",
"securitySubCategories": [
{
"category": {
"framework": {
"name": "Wiz for Risk Assessment"
},
"name": "High Profile Threats"
},
"title": "High-profile vulnerability exploited in the wild"
},
{
"category": {
"framework": {
"name": "MITRE ATT&CK Matrix"
},
"name": "TA0001 Initial Access"
},
"title": "T1190 Exploit Public-Facing Application"
},
]
},
"status": "OPEN",
"statusChangedAt": "2024-06-04 02:28:06.597355000",
"type": "TOXIC_COMBINATION",
"updatedAt": "2024-06-04 02:28:06.763277000"
}
- Name: Resolved Alert
ExpectedResult: false
Log:
Expand Down

0 comments on commit b21def5

Please sign in to comment.