fix: improve log handling in GPT request and ensure last log entry is used

Author: yllada

soc-ai/elastic/alerts.go

@@ -234,19 +234,20 @@ func BuildCorrelationContext(corr *AlertCorrelation) string {
 	return sb.String()
 }
 
-var matchTypeNames = map[string]string{
-	"SourceIP":        "Source IP",
-	"DestinationIP":   "Destination IP",
-	"SourceUser":      "Source User",
-	"DestinationUser": "Destination User",
-}
-
 func translateMatchTypes(types []string) string {
 	sort.Strings(types)
 	var out []string
+
 	for _, t := range types {
-		if name, ok := matchTypeNames[t]; ok {
-			out = append(out, name)
+		switch t {
+		case "SourceIP":
+			out = append(out, "Source IP")
+		case "DestinationIP":
+			out = append(out, "Destination IP")
+		case "SourceUser":
+			out = append(out, "Source User")
+		case "DestinationUser":
+			out = append(out, "Destination User")
 		}
 	}
 	return strings.Join(out, " and ")

soc-ai/gpt/client.go

@@ -39,6 +39,14 @@ func (c *GPTClient) Request(alert schema.AlertGPTDetails) (string, error) {
 	if alert.Logs == "" || alert.Logs == " " {
 		content += content + ". " + configurations.GPT_FALSE_POSITIVE
 	}
+
+	if alert.Logs != "" && alert.Logs != " " {
+		logs := strings.Split(alert.Logs, configurations.LOGS_SEPARATOR)
+		if len(logs) > 0 {
+			alert.Logs = logs[len(logs)-1]
+		}
+	}
+
 	jsonContent, err := json.Marshal(alert)
 	if err != nil {
 		return "", fmt.Errorf("error marshalling alert: %v", err)