MCPcopy
hub / github.com/crowdsecurity/crowdsec / AlertCmd

Function AlertCmd

pkg/apiserver/papi_cmd.go:90–186  ·  view source on GitHub ↗
(ctx context.Context, message *Message, p *Papi, sync bool)

Source from the content-addressed store, hash-verified

88}
89
90func AlertCmd(ctx context.Context, message *Message, p *Papi, sync bool) error {
91 switch message.Header.OperationCmd {
92 case "add":
93 data, err := json.Marshal(message.Data)
94 if err != nil {
95 return err
96 }
97
98 alert := &models.Alert{}
99
100 if err := json.Unmarshal(data, alert); err != nil {
101 return fmt.Errorf("message for '%s' contains bad alert format: %w", message.Header.OperationType, err)
102 }
103
104 log.Infof("Received order %s from PAPI (%d decisions)", alert.UUID, len(alert.Decisions))
105 decisionsToKeep := make([]*models.Decision, 0)
106 for _, decision := range alert.Decisions {
107 if decision.Value == nil {
108 continue
109 }
110 isAllowlisted, reason, err := p.DBClient.IsAllowlisted(ctx, *decision.Value)
111 if err != nil {
112 log.Errorf("Failed to check if decision '%s' is allowlisted: %s", *decision.Value, err)
113 // keep the decision in case of error during allowlist check
114 decisionsToKeep = append(decisionsToKeep, decision)
115 continue
116 }
117 if isAllowlisted {
118 log.Infof("Decision '%s' is allowlisted, removing it (%s)", *decision.Value, reason)
119 continue
120 }
121 decisionsToKeep = append(decisionsToKeep, decision)
122 }
123 alert.Decisions = decisionsToKeep
124
125 if len(alert.Decisions) == 0 {
126 log.Infof("All decisions are allowlisted for alert %s, skipping alert creation", alert.UUID)
127 return nil
128 }
129
130 /*Fix the alert with missing mandatory items*/
131 if alert.StartAt == nil || *alert.StartAt == "" {
132 log.Warnf("Alert %d has no StartAt, setting it to now", alert.ID)
133 alert.StartAt = new(time.Now().UTC().Format(time.RFC3339))
134 }
135
136 if alert.StopAt == nil || *alert.StopAt == "" {
137 log.Warnf("Alert %d has no StopAt, setting it to now", alert.ID)
138 alert.StopAt = new(time.Now().UTC().Format(time.RFC3339))
139 }
140
141 alert.EventsCount = new(int32(0))
142 alert.Capacity = new(int32(0))
143 alert.Leakspeed = new("")
144 alert.Simulated = new(false)
145 alert.ScenarioHash = new("")
146 alert.ScenarioVersion = new("")
147 alert.Message = new("")

Callers

nothing calls this directly

Calls 4

CreateOrUpdateAlertMethod · 0.80
IsAllowlistedMethod · 0.45
FormatMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…