mentat.reports.event module

Library for generating event reports.

The implementation is based on mentat.reports.base.BaseReporter.

class mentat.reports.event.EventReporter(logger, reports_dir, templates_dir, locale, timezone, eventservice, sqlservice, mailer, event_classes_dir, thresholding=True)[source]

Bases: mentat.reports.base.BaseReporter

Implementation of reporting class providing Mentat event reports.

static aggregate_events(events)[source]

Aggregate given list of events to dictionary structure that can be used to generate report message.

Parameters

events (dict) – Structure containing events as mentat.idea.internal.Idea objects.

Returns

Dictionary structure of aggregated events.

Return type

dict

static aggregate_events_by_source(events, settings)[source]

Aggregate given list of events to dictionary structure according to the IPv4 and IPv6 sources. The resulting structure contains event source addresses (value of Source.IP4 and Source.IP6 attributes) as keys and list of events with given source in no particular order. For example:

{
    '192.168.1.1': [...],
    '::1': [...],
    ...
}
Parameters

  • events (list) – List of events as mentat.idea.internal.Idea objects.

  • settings (mentat.reports.event.ReportingSettings) – Reporting settings.

Returns

Dictionary structure of aggregated events.

Return type

dict

choose_attachments(ident, settings)[source]

Choose appropriate report attachments based on the reporting configuration.

cleanup(ttl)[source]

Cleanup thresholding cache and remove all records with TTL older than given value.

Parameters

time_h (datetime.datetime) – Upper cleanup time threshold.

Returns

Number of removed records.

Return type

int

fetch_severity_events(abuse_group, severity, time_l, time_h, testdata=False)[source]

Fetch events with given severity for given abuse group within given time iterval.

Parameters

  • abuse_group – Abuse group model object.

  • severity (str) – Event severity level to fetch.

  • time_l (datetime.datetime) – Lower time interval boundary.

  • time_h (datetime.datetime) – Upper time interval boundary.

  • testdata (bool) – Switch to use test data for reporting.

Returns

List of events matching search criteria.

Return type

list

filter_event(filter_rules, event)[source]

Filter given event according to given list of filtering rules.

Parameters

  • filter_rules (list) – Filters to be used.

  • mentat.idea.internal.Idea – Event to be filtered.

Returns

True in case any filter matched, False otherwise.

Return type

bool

filter_events(events, abuse_group, settings)[source]

Filter given list of IDEA events according to given abuse group settings.

Parameters

  • events (list) – List of IDEA events as mentat.idea.internal.Idea objects.

  • mentat.datatype.sqldb.GroupModel – Abuse group.

  • settings (mentat.reports.event.ReportingSettings) – Reporting settings.

Returns

Tuple with list of events that passed filtering and filtering log as a dictionary.

Return type

tuple

static j2t_idea_path_valueset(message_s, jpath_s)[source]

Calculate and return set of all values on all given jpaths in all given messages. Messages and jpaths can also be a single values.

static prepare_structured_data(events_reg_aggr, events_rel_aggr, settings)[source]

Prepare structured data for report column

Parameters
Returns

Structured data that cam be used to generate report message

Return type

dict

relapse_events(abuse_group, severity, time_h)[source]

Detect IDEA event relapses for given abuse group settings.

Parameters

  • mentat.datatype.sqldb.GroupModel – Abuse group.

  • severity (str) – Severity for which to perform reporting.

  • time_h (datetime.datetime) – Upper reporting time threshold.

Returns

List of events that relapsed.

Return type

list

render_report(report, settings, template_vars=None, attachment_files=None, srcip=None)[source]
report(abuse_group, settings, severity, time_l, time_h, template_vars=None, testdata=False)[source]

Perform reporting for given abuse group, event severity and time window.

Parameters

  • abuse_group (mentat.datatype.internal.GroupModel) – Abuse group.

  • settings (mentat.reports.event.ReportingSettings) – Reporting settings.

  • severity (str) – Severity for which to perform reporting.

  • time_l (datetime.datetime) – Lower reporting time threshold.

  • time_h (datetime.datetime) – Upper reporting time threshold.

  • template_vars (dict) – Dictionary containing additional template variables.

  • testdata (bool) – Switch to use test data for reporting.

report_extra(parent_rep, result, events, abuse_group, settings, severity, time_l, time_h, template_vars=None, testdata=False)[source]

Generate extra reports from given events for given abuse group, severity and period.

Parameters

  • parent_rep (mentat.datatype.internal.EventReportModel) – Parent summary report.

  • result (dict) – Reporting result structure with various usefull metadata.

  • events (dict) – Dictionary structure with IDEA events to be reported.

  • abuse_group (mentat.datatype.internal.GroupModel) – Abuse group.

  • settings (mentat.reports.event.ReportingSettings) – Reporting settings.

  • severity (str) – Severity for which to perform reporting.

  • time_l (datetime.datetime) – Lower reporting time threshold.

  • time_h (datetime.datetime) – Upper reporting time threshold.

  • template_vars (dict) – Dictionary containing additional template variables.

  • testdata (bool) – Switch to use test data for reporting.

report_summary(result, events, abuse_group, settings, severity, time_l, time_h, template_vars=None, testdata=False)[source]

Generate summary report from given events for given abuse group, severity and period.

Parameters

  • result (dict) – Reporting result structure with various usefull metadata.

  • events (dict) – Dictionary structure with IDEA events to be reported.

  • abuse_group (mentat.datatype.internal.GroupModel) – Abuse group.

  • settings (mentat.reports.event.ReportingSettings) – Reporting settings.

  • severity (str) – Severity for which to perform reporting.

  • time_l (datetime.datetime) – Lower reporting time threshold.

  • time_h (datetime.datetime) – Upper reporting time threshold.

  • template_vars (dict) – Dictionary containing additional template variables.

  • testdata (bool) – Switch to use test data for reporting.

threshold_events(events, abuse_group, severity, time_h)[source]

Threshold given list of IDEA events according to given abuse group settings.

Parameters

  • events (list) – List of IDEA events as mentat.idea.internal.Idea objects.

  • mentat.datatype.sqldb.GroupModel – Abuse group.

  • severity (str) – Severity for which to perform reporting.

  • time_h (datetime.datetime) – Upper reporting time threshold.

Returns

List of events that passed thresholding.

Return type

list

update_thresholding_cache(events, settings, severity, time_h)[source]
Parameters

  • events (dict) – Dictionary structure with IDEA events that were reported.

  • settings (mentat.reports.event.ReportingSettings) – Reporting settings.

  • severity (str) – Severity for which to perform reporting.

  • time_h (datetime.datetime) – Upper reporting time threshold.

mentat.reports.event.REPORT_EMAIL_TEXT_WIDTH = 90

Width of the report email text.

mentat.reports.event.REPORT_SUBJECT_EXTRA = '[{:s}] {:s} - Notice about possible problems regarding host {:s}'

Subject for extra report emails.

mentat.reports.event.REPORT_SUBJECT_SUMMARY = '[{:s}] {:s} - Notice about possible problems in your network'

Subject for summary report emails.

mentat.reports.event.csv_dict(idea)[source]

Convert selected attributes of given IDEA message into flat dictionary suitable for CSV dump. This is a legacy feature from old version of Mentat system and due to its shortcomings is planned to be removed in the future. It was implemented only for the purposes of compatibility and transition from old version of Mentat system to new one.

mentat.reports.event.json_default(val)[source]

Helper function for JSON serialization of non basic data types.