Refactored bitsensor enhancement

Khanh Nguyen · Khanh Nguyen · commit cb0b294d5ab8 · 2017-08-25T17:25:40.000+02:00
diff --git a/elastalert_modules/bitsensor_enhancement.py b/elastalert_modules/bitsensor_enhancement.py
@@ -1,12 +1,13 @@
 from elastalert.enhancements import BaseEnhancement
 from util import convert_array_to_object
+from util import parse_detections
 
-
+# For easier access to nested values in an array , this merges all items in  array
+# within  
 class AlertTextEnhancement(BaseEnhancement):
     # The enhancement is run against every match
     # The match is passed to the process function where it can be modified in any way
     # ElastAlert will do this for each enhancement linked to a rule
     def process(self, match):
-        match['detections_string'] = ''
-        if 'detections' in match:
-            match['detections_parsed'] = convert_array_to_object(match['detections'])
+        parsed_match = parse_detections(match)
+        match.update(parsed_match)
diff --git a/elastalert_modules/util.py b/elastalert_modules/util.py
@@ -1,7 +1,30 @@
-
+from itertools import chain
 
 def convert_array_to_object(array):
     json = {}
     for idx in range(len(array)):
-        json[idx] = array[idx]
-    return json
+        json[str(idx)] = array[idx]
+    return json
+
+def parse_detections(match):
+    key = 'detections'
+    parsed = {key+'_parsed': {}}
+
+    if not isinstance(match[key], list):
+        return parsed
+    if len(match[key]) == 0:
+        return parsed
+ 
+    # Converts array terms into objects 
+    # parsed[key + '_parsed'] = convert_array_to_object(match[key]) 
+
+    for sk, value in match[key][0].iteritems(): 
+        value_array = [] 
+        if isinstance(value, list):
+            value_array = list(chain.from_iterable(sv for sv in (v[sk] for v in match[key]) if sv))
+        else:
+            value_array = [v[sk] for v in match[key]] 
+        unique_values = set(value_array)
+        parsed[key + '_parsed'][sk] = ", ".join(str(va) for va in unique_values)
+ 
+    return parsed
