Skip to content

Commit ef92721

Browse files
ylladayllada
committed
fix: optimize alert correlation logic and improve classification handling
1 parent b6bb38e commit ef92721

1 file changed

Lines changed: 16 additions & 21 deletions

File tree

soc-ai/elastic/alerts.go

Lines changed: 16 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -91,35 +91,24 @@ func GetRelatedAlerts() ([]schema.Alert, error) {
9191
func FindRelatedAlerts(currentAlert schema.Alert) (*AlertCorrelation, error) {
9292
correlation := &AlertCorrelation{
9393
CurrentAlert: currentAlert,
94-
RelatedAlerts: []schema.Alert{},
95-
Classifications: []string{},
94+
RelatedAlerts: make([]schema.Alert, 0),
95+
Classifications: make([]string, 0),
9696
}
9797

9898
historicalResponses, err := GetRelatedAlerts()
9999
if err != nil {
100100
return nil, err
101101
}
102102

103-
var alertIDs []string
104-
for _, resp := range historicalResponses {
105-
alertIDs = append(alertIDs, resp.ID)
106-
}
107-
108-
for _, id := range alertIDs {
109-
alert, err := GetAlertsInfo(id)
110-
if err != nil {
111-
continue
112-
}
113-
114-
if isAlertRelated(currentAlert, alert) {
115-
correlation.RelatedAlerts = append(correlation.RelatedAlerts, alert)
103+
for _, hist := range historicalResponses {
104+
if isAlertRelated(currentAlert, hist) {
105+
correlation.RelatedAlerts = append(correlation.RelatedAlerts, hist)
116106

117-
for _, resp := range historicalResponses {
118-
if resp.ID == alert.ID {
119-
correlation.Classifications = append(correlation.Classifications, resp.Tags...)
120-
break
121-
}
107+
classification := "This alert has not been classified"
108+
if len(hist.Tags) > 0 {
109+
classification = strings.Join(hist.Tags, ", ")
122110
}
111+
correlation.Classifications = append(correlation.Classifications, classification)
123112
}
124113
}
125114

@@ -174,7 +163,13 @@ func BuildCorrelationContext(correlation *AlertCorrelation) string {
174163
context.WriteString(fmt.Sprintf("- Name: %s\n", alert.Name))
175164
context.WriteString(fmt.Sprintf("- Severity: %s\n", alert.SeverityLabel))
176165
context.WriteString(fmt.Sprintf("- Category: %s\n", alert.Category))
177-
context.WriteString(fmt.Sprintf("- Classification: %s\n", correlation.Classifications[i]))
166+
167+
classification := "This alert has not been classified"
168+
if i < len(correlation.Classifications) {
169+
classification = correlation.Classifications[i]
170+
}
171+
context.WriteString(fmt.Sprintf("- Classification: %s\n", classification))
172+
178173
context.WriteString(fmt.Sprintf("- Time: %s\n", alert.Timestamp))
179174

180175
if alert.Source.IP != "" {

0 commit comments

Comments
 (0)