Rule SnapshotExpression with withSecondaryInfo

Rule SnapshotExpression with withSecondaryInfo


Hi! I’m working on a rule that checks a condition against a snapshot expression.
In this I would like to add secondary info with items such as
[username]: This user has failed to log in [failureCount] times

The rule as such is working, it triggers on the metric and resolves when the metric is cleared.
I can not however reason out how to get the alert items.

The closes i’ve gotten is the code down below, but this seems to present ALL snapshots, the current one and the previous ones.

case class CrossVendorRepeatedFailedLoginAttemptsJH23() extends PerDeviceRule with RuleHelper {

override val metadata: RuleMetadata = RuleMetadata.builder(“cross_vendor_repeated_failed_login_attempts_JH23”, “All Devices: Repeated failed login attempts by a user JH23”,
“Alert if a user is repeatedly trying to login unsuccessfully during the last hour. JH23”, AlertSeverity.ERROR)

override def expressionTree(context : RuleContext): StatusTreeExpression = {
val currentValue = SnapshotExpression(“failed-logins”).asMulti().mostRecent().value()

  // Which objects to pull (normally, devices)
  SelectTagsExpression(context.metaDao, Set(DeviceKey), True),
      // Additional information we care about
      SelectSnapshotsExpression(context.snapshotsDao, Set("failed-logins")).multi(),
      // What constitutes an issue
        scopableStringFormatExpression("This user has made ${scope(\"failed-logins:failureCount\")} failed logins during the last hour."),
        "Failed logins",
        Set[InvisibleScopeKey](InvisibleScopeKey("username",Some("failed-logins")), InvisibleScopeKey("failureCount",Some("failed-logins")))
  // Details of the alert itself
  ConstantExpression("Indeni has detected repeated password guessing against the device in the last hour. This may be due to penetration testing, a user attempting many times with an incorrect password or user name, or malicious attempt to log on to the device."),
  ConditionalRemediationSteps("Investigate from where the logins are originating from and take action to block the attempts if necessary.",
    ConditionalRemediationSteps.VENDOR_CP -> "Check \"/var/log/secure\" on the device.")