private async Task RejectAlertWhenRequirementsAreNotMet(int reportId, AlertRule alertRule, Alert inspectedAlert)
{
var alertReportsWitUpdatedLabels = await _nyssContext.AlertReports
.Where(ar => ar.AlertId == inspectedAlert.Id)
.Where(ar => ar.ReportId != reportId)
.Select(ar => ar.Report)
.ToListAsync();
var updatedReportsGroupedByLabel = alertReportsWitUpdatedLabels.GroupBy(r => r.ReportGroupLabel).ToList();
var noGroupWithinAlertSatisfiesCountThreshold = !updatedReportsGroupedByLabel.Any(g => g.Count() >= alertRule.CountThreshold);
if (noGroupWithinAlertSatisfiesCountThreshold)
{
if (inspectedAlert.Status != AlertStatus.Dismissed)
{
inspectedAlert.Status = AlertStatus.Rejected;
}
foreach (var groupNotSatisfyingThreshold in updatedReportsGroupedByLabel)
{
var reportGroupLabel = groupNotSatisfyingThreshold.Key;
await IncludeAllReportsWithLabelInExistingAlert(reportGroupLabel, inspectedAlert.Id);
}
}
}
public static PSSentinelAlertRule ConvertToPSType(this AlertRule value)
{
var convertedFusionValue = value as FusionAlertRule;
if (convertedFusionValue != null)
{
return(convertedFusionValue.ConvertToPSType());
}
var convertedMicrosoftSecurityIncidentCreationValue = value as MicrosoftSecurityIncidentCreationAlertRule;
if (convertedMicrosoftSecurityIncidentCreationValue != null)
{
return(convertedMicrosoftSecurityIncidentCreationValue.ConvertToPSType());
}
var convertedScheduledValue = value as ScheduledAlertRule;
if (convertedScheduledValue != null)
{
return(convertedScheduledValue.ConvertToPSType());
}
return(new PSSentinelAlertRule()
{
Kind = "Error",
Name = value.Name
});
}
private void StopOldRule(AlertRule oldExternalRule, InternalRule newInternalRule)
{
if (_ruleStore.TryGetValue(oldExternalRule.PrivateKey.ToLower(), out var oldInternalRule))
{
if (newInternalRule != null)
{
newInternalRule.LastStatus = oldInternalRule.LastStatus;
}
oldInternalRule.DataSubs?.Cancel();
}
// update rule store
_ruleStore.Remove(oldExternalRule.PrivateKey.ToLower());
}
public async Task RemoveHealthRisk_WhenAlertIsNotNull_ShouldRemoveAlertFromTheContext()
{
// Arrange
var projectHealthRisks = new List <ProjectHealthRisk>();
var projectHealthRisksMockDbSet = projectHealthRisks.AsQueryable().BuildMockDbSet();
_nyssContextMock.ProjectHealthRisks.Returns(projectHealthRisksMockDbSet);
var alertRule = new AlertRule();
_healthRisk.AlertRule = alertRule;
// Act
await _healthRiskService.Delete(HealthRiskId);
// Assert
_nyssContextMock.AlertRules.Received(1).Remove(alertRule);
}
public InternalRule(AlertRule rule)
{
RuleName = rule.RuleUniqueId;
Disabled = rule.Disabled;
DataTypeName = rule.DataTypeName;
DataSubsExpr = rule.DataSubsExpr != null?Expr.Create(rule.DataSubsExpr) : Expr.Const(false);
DataItemKind = EnumHelper.Parse(rule.DataItemKind, true, ItemKind.Undefined);
Condition = rule.Condition != null?Expr.Create(rule.Condition) : Expr.Const(false);
Constraint = rule.Constraint != null?Expr.Create(rule.Constraint) : Expr.Const(true);
Properties = rule.AlertProperties != null ? new NamedValueSet(rule.AlertProperties) : new NamedValueSet();
MonitorPeriod = rule.MonitorPeriod != null?TimeSpan.Parse(rule.MonitorPeriod) : TimeSpan.FromMinutes(1);
PublishPeriod = rule.PublishPeriod != null?TimeSpan.Parse(rule.PublishPeriod) : TimeSpan.FromMinutes(5);
SignalFormat = rule.SignalFormat;
}
public async Task WhenUpdatingAlertRuleThenUpdateIsCalledCorrectly()
{
var ruleToUpdate = new AlertRule
{
Id = "ruleId",
SmartDetectorId = "smartDetectorId",
Cadence = TimeSpan.FromMinutes(1440),
ResourceId = "resourceId"
};
await this.alertRuleStore.AddOrReplaceAlertRuleAsync(ruleToUpdate, CancellationToken.None);
this.tableMock.Verify(m => m.ExecuteAsync(
It.Is <TableOperation>(operation =>
operation.OperationType == TableOperationType.InsertOrReplace &&
operation.Entity.RowKey.Equals(ruleToUpdate.Id) &&
((AlertRuleEntity)operation.Entity).SmartDetectorId.Equals(ruleToUpdate.SmartDetectorId) &&
((AlertRuleEntity)operation.Entity).CadenceInMinutes.Equals(1440) &&
((AlertRuleEntity)operation.Entity).ResourceId.Equals(ruleToUpdate.ResourceId)),
It.IsAny <CancellationToken>()));
}
private void StartNewRule(AlertRule newExternalRule, InternalRule newInternalRule)
{
if (!newInternalRule.Disabled && newInternalRule.DataSubsExpr != null)
{
newInternalRule.DataSubs = IntClient.Target.CreateUntypedSubscription(null, newInternalRule.DataSubsExpr);
newInternalRule.DataSubs.UserCallback =
delegate(ISubscription subscription, ICoreItem item)
{
var rule = (InternalRule)subscription.UserContext;
ICoreItem lastItem = rule.CurrentReceivedItem;
if (lastItem == null || (item.Created > lastItem.Created))
{
rule.CurrentReceivedItem = item;
}
};
newInternalRule.DataSubs.UserContext = newInternalRule;
newInternalRule.DataSubs.DataTypeName = newInternalRule.DataTypeName;
newInternalRule.DataSubs.WaitForExisting = true;
newInternalRule.DataSubs.Start();
Thread.Sleep(2000);
}
// update rule store
_ruleStore[newExternalRule.PrivateKey.ToLower()] = newInternalRule;
}
private IEnumerable <AlertRule> ReadAlertRules(IResourceGroup resourceGroup)
{
var alertRule = new AlertRule(resourceGroup);
var alertRules = new List <AlertRule> {
alertRule
};
var azureAlertRules = _azure.AlertRules;
foreach (var metricAlert in azureAlertRules.MetricAlerts.ListByResourceGroup(resourceGroup.Name))
{
MetricAlert metric = new MetricAlert(metricAlert.Name);
alertRule.MetricAlerts.Add(metric);
}
// Microsoft.Azure.Management.Monitor.Fluent.Models.ErrorResponseException. v
// Operation returned an invalid status code 'NotFound'
foreach (var activityLogAlert in azureAlertRules.ActivityLogAlerts.ListByResourceGroup(resourceGroup.Name))
{
ActivityLogAlert activity = new ActivityLogAlert(activityLogAlert.Name);
alertRule.ActivityLogAlerts.Add(activity);
}
return(alertRules);
}
private async Task RecalculateAlert(Report report, AlertRule alertRule)
{
var pointsWithLabels = await _reportLabelingService.CalculateNewLabelsInLabelGroup(report.ReportGroupLabel, alertRule.KilometersThreshold.Value * 1000 * 2, report.Id);
await _reportLabelingService.UpdateLabelsInDatabaseDirect(pointsWithLabels);
}
private void ValidateAlertRule(AlertRule AlertRule)
{
Assert.NotNull(AlertRule);
}
/// <summary>
/// Saves an alert rule
/// </summary>
/// <param name="alertRule">The alert rule</param>
/// <param name="cancellationToken">The cancellation token</param>
public async Task SaveAlertRuleAsync(AlertRule alertRule, CancellationToken cancellationToken = default)
=> await PutAsync($"setting/alert/rules/{alertRule.Id}?data=%5Bobject+Object%5D", alertRule, cancellationToken).ConfigureAwait(false);
/// <summary>
/// Creates or updates the alert rule.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='resourceGroupName'>
/// The name of the resource group. The name is case insensitive.
/// </param>
/// <param name='workspaceName'>
/// The name of the workspace.
/// </param>
/// <param name='ruleId'>
/// Alert rule ID
/// </param>
/// <param name='alertRule'>
/// The alert rule
/// </param>
/// <param name='cancellationToken'>
/// The cancellation token.
/// </param>
public static async Task <AlertRule> CreateOrUpdateAsync(this IAlertRulesOperations operations, string resourceGroupName, string workspaceName, string ruleId, AlertRule alertRule, CancellationToken cancellationToken = default(CancellationToken))
{
using (var _result = await operations.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, workspaceName, ruleId, alertRule, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
/// <summary>
/// Creates or updates the alert rule.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='resourceGroupName'>
/// The name of the resource group. The name is case insensitive.
/// </param>
/// <param name='workspaceName'>
/// The name of the workspace.
/// </param>
/// <param name='ruleId'>
/// Alert rule ID
/// </param>
/// <param name='alertRule'>
/// The alert rule
/// </param>
public static AlertRule CreateOrUpdate(this IAlertRulesOperations operations, string resourceGroupName, string workspaceName, string ruleId, AlertRule alertRule)
{
return(operations.CreateOrUpdateAsync(resourceGroupName, workspaceName, ruleId, alertRule).GetAwaiter().GetResult());
}
public AlertRuleRunner(AlertRule alertRule)
{
_alertRule = alertRule;
}
/// <summary>
/// Sends the Smart Signal result Email.
/// </summary>
/// <param name="signalExecution">The signals execution information.</param>
/// <param name="smartSignalResultItems">The Smart Signal result items.</param>
/// <returns>The task object representing the asynchronous operation.</returns>
public async Task SendSignalResultEmailAsync(SignalExecutionInfo signalExecution, IList <SmartSignalResultItemPresentation> smartSignalResultItems)
{
AlertRule alertRule = signalExecution.AlertRule;
if (this.sendGridClient == null)
{
this.tracer.TraceWarning("SendGrid API key was not found, not sending email");
return;
}
if (alertRule.EmailRecipients == null || !alertRule.EmailRecipients.Any())
{
this.tracer.TraceWarning("Email recipients were not provided, not sending email");
return;
}
if (smartSignalResultItems == null || !smartSignalResultItems.Any())
{
this.tracer.TraceInformation($"no result items to publish for signal {alertRule.SignalId}");
return;
}
this.tracer.TraceInformation($"Sending signal result email for signal {alertRule.SignalId}");
var exceptions = new List <Exception>();
foreach (SmartSignalResultItemPresentation resultItem in smartSignalResultItems)
{
ResourceIdentifier resource = ResourceIdentifier.CreateFromResourceId(alertRule.ResourceId);
// TODO: Fix links
string emailBody = Resources.SmartSignalEmailTemplate
.Replace(SignalNamePlaceHolder, resultItem.SignalName)
.Replace(ResourceNamePlaceHolder, resultItem.ResourceId)
.Replace(LinkToPortalPlaceHolder, "LinkToPortal")
.Replace(RuleNamePlaceHolder, alertRule.Name)
.Replace(RuleDescriptionPlaceHolder, alertRule.Description)
.Replace(ServiceNamePlaceHolder, $@"{resource.ResourceType}: {resource.ResourceName} ({resource.ResourceGroupName})")
.Replace(AlertActivatedTimePlaceHolder, signalExecution.LastExecutionTime.ToString())
.Replace(SubscriptionNamePlaceHolder, resource.SubscriptionId)
.Replace(LinkToFeedbackPlaceHolder, "https://ms.portal.azure.com/");
var msg = new SendGridMessage
{
From = new EmailAddress("*****@*****.**", "Smart Signals"),
Subject = $"Azure Smart Alerts (preview) - {resultItem.SignalName} detected",
PlainTextContent = $@"{resultItem.SignalName} was detected for {resultItem.ResourceId}.
You can view more details for this alert here: {"LinkToPortal"}",
HtmlContent = emailBody
};
var emailAddresses = alertRule.EmailRecipients.Select(email => new EmailAddress(email)).ToList();
msg.AddTos(emailAddresses);
try
{
var response = await this.sendGridClient.SendEmailAsync(msg);
if (!IsSuccessStatusCode(response.StatusCode))
{
string content = response.Body != null ? await response.Body.ReadAsStringAsync() : string.Empty;
var message = $"Failed to send signal results Email for signal {alertRule.SignalId}. Fail StatusCode: {response.StatusCode}. Content: {content}.";
this.tracer.TraceError(message);
exceptions.Add(new EmailSendingException(message));
}
}
catch (Exception e)
{
this.tracer.TraceError($"Failed to send email. Exception: {e}");
exceptions.Add(new EmailSendingException($"Exception was thrown fo sending signal results Email for signal {alertRule.SignalId}. Exception: {e}"));
}
}
if (exceptions.Count > 0)
{
this.tracer.TraceError(
$"Failed to send one or more signal result emails." +
$"Number of exceptions thrown: {exceptions.Count()}.");
throw new AggregateException("Failed to send one or more signal result emails", exceptions);
}
this.tracer.TraceInformation($"Sent signal result emails successfully for signal {alertRule.SignalId}");
}
