Responding to Custom Events from Remote Systems - dhoelzer/DAD GitHub Wiki

Using DAD we can also generate alerts based on arbitrary events that we can rationalize into important events of interest. In this case we are looking at a Dropbox style web application within a business. This system generates its own custom logs which are being forwarded via syslog into DAD. We're interested in generating alerts that might indicate unusual behavior on the part of a user, downloading an unusual number of documents in a relatively short period of time. Note that when we generate the alert we can also attach any arbitrary events (hopefully relevant ones!) to the alert so that they are immediately visible when the alert is viewed:

timeframe = 6.hours.ago
relevant_events = Event.search("user id letters download", timeframe,0,10000000)
users=Hash.new
relevant_events.each do |event|
  eventString =event.inspect.to_s
  user = eventString.split(' ')[25]
  users[user] = (users[user].nil? ? 1 : users[user] + 1)
end
users.each do |k,v|
  if v>10 then
    criticality = ( v < 15 ? 2 : v < 20 ? 3 : v < 25 ? 4 : 5)
    matching_events = Event.search("user id letters download #{k}", timeframe,0,10000000)
    Alert.genericAlert(system_id: matching_events[0].system_id, description: "#{k} downloaded #{v} letters in the past six hours.", short_description: "Unusual download activity: #{k}", criticality: criticality, events: matching_events)
  end
end