Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve alert batching for GuardDuty (within Gatekeeper) #503

Closed
ajvb opened this issue Jan 6, 2021 · 1 comment
Closed

Improve alert batching for GuardDuty (within Gatekeeper) #503

ajvb opened this issue Jan 6, 2021 · 1 comment
Labels
improvement

Comments

@ajvb
Copy link
Contributor

ajvb commented Jan 6, 2021

There are cases where we may get multiple alerts of the same type that we would want to page on (via Pagerduty). An example of this is if someone is using the root credentials we can get many variations on the "RootCredentialUsage" alert.

We should improve the ability to batch by alert type within

foxsec-pipeline/src/main/java/com/mozilla/secops/gatekeeper/GuardDutyTransforms.java

Line 272 in 50d2c02

public static class SuppressAlerts extends PTransform<PCollection<Alert>, PCollection<Alert>> {
for these cases.

This is specifically important for alerts that page, so might be worth adding this functionality to GuardDutyFindingMatcher
@kkleemola
Copy link
Contributor

Closing as Gatekeeper is no longer being used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ajvb @kkleemola