-
Notifications
You must be signed in to change notification settings - Fork 5
Alerting based on User Activity in a Web Application
David Hoelzer edited this page Mar 12, 2015
·
1 revision
Another example of generating alerts based on user activity in a web application based on the logs being forwarded into DAD. What amazes most people is how little actual code is required to make this happen:
timeframe = 2.hours.ago
relevant_events = Event.search("people search sent", timeframe,0,10000000)
users=Hash.new
relevant_events.each do |event|
eventString =event.inspect.to_s
user = eventString.split(' ')[25]
users[user] = (users[user].nil? ? 1 : users[user] + 1)
end
users.each do |k,v|
if v>5 then
criticality = ( v < 10 ? 2 : v < 15 ? 3 : v < 20 ? 4 : 5)
matching_events = Event.search("people search sent #{k}", timeframe,0,10000000)
Alert.genericAlert(system_id: matching_events[0].system_id, description: "#{k} searched for #{v} person contacts in the past two hours.", short_description: "Suspicious user activity - Person Searches: #{k}", criticality: criticality, events: matching_events)
end
end