Feature/ecs alerts

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.4.0
 	github.com/anchore/syft v1.32.0
 	github.com/aquilax/truncate v1.0.0
-	github.com/armosec/armoapi-go v0.0.667
+	github.com/armosec/armoapi-go v0.0.669
 	github.com/armosec/utils-k8s-go v0.0.35
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cenkalti/backoff/v4 v4.3.0

go.sum

@@ -761,8 +761,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/armosec/armoapi-go v0.0.667 h1:LrFowKvthnL676Gx+hjhvqP4pQ2+CjykFO9SdIYDc/c=
-github.com/armosec/armoapi-go v0.0.667/go.mod h1:9jAH0g8ZsryhiBDd/aNMX4+n10bGwTx/doWCyyjSxts=
+github.com/armosec/armoapi-go v0.0.669 h1:7tGk7+u94C7OqA81QqWV9UWbH28LKCb/j4Gt9ybfXmI=
+github.com/armosec/armoapi-go v0.0.669/go.mod h1:9jAH0g8ZsryhiBDd/aNMX4+n10bGwTx/doWCyyjSxts=
 github.com/armosec/gojay v1.2.17 h1:VSkLBQzD1c2V+FMtlGFKqWXNsdNvIKygTKJI9ysY8eM=
 github.com/armosec/gojay v1.2.17/go.mod h1:vuvX3DlY0nbVrJ0qCklSS733AWMoQboq3cFyuQW9ybc=
 github.com/armosec/utils-go v0.0.58 h1:g9RnRkxZAmzTfPe2ruMo2OXSYLwVSegQSkSavOfmaIE=

pkg/rulemanager/types/failure.go

@@ -20,6 +20,7 @@ type GenericRuleFailure struct {
 	TriggerEvent           utils.EnrichEvent
 	RuleAlert              apitypes.RuleAlert
 	RuntimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails
+	RuntimeAlertECSDetails apitypes.RuntimeAlertECSDetails
 	RuleID                 string
 	CloudServices          []string
 	HttpRuleAlert          apitypes.HttpRuleAlert
@@ -41,6 +42,8 @@ type RuleFailure interface {
 	GetRuleAlert() apitypes.RuleAlert
 	// Get K8s Runtime Details
 	GetRuntimeAlertK8sDetails() apitypes.RuntimeAlertK8sDetails
+	// Get ECS Runtime Details
+	GetRuntimeAlertEcsDetails() apitypes.RuntimeAlertECSDetails
 	// Get Rule ID
 	GetRuleId() string
 	// Get Cloud Services
@@ -66,6 +69,8 @@ type RuleFailure interface {
 	SetRuleAlert(ruleAlert apitypes.RuleAlert)
 	// Set K8s Runtime Details
 	SetRuntimeAlertK8sDetails(runtimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails)
+	// Set ECS Runtime Details
+	SetRuntimeAlertEcsDetails(runtimeAlertEcsDetails apitypes.RuntimeAlertECSDetails)
 	// Set Cloud Services
 	SetCloudServices(cloudServices []string)
 	// Set Alert Platform
@@ -102,6 +107,10 @@ func (rule *GenericRuleFailure) GetRuntimeAlertK8sDetails() apitypes.RuntimeAler
 	return rule.RuntimeAlertK8sDetails
 }
 
+func (rule *GenericRuleFailure) GetRuntimeAlertEcsDetails() apitypes.RuntimeAlertECSDetails {
+	return rule.RuntimeAlertECSDetails
+}
+
 func (rule *GenericRuleFailure) GetRuleId() string {
 	return rule.RuleID
 }
@@ -150,6 +159,10 @@ func (rule *GenericRuleFailure) SetRuntimeAlertK8sDetails(runtimeAlertK8sDetails
 	rule.RuntimeAlertK8sDetails = runtimeAlertK8sDetails
 }
 
+func (rule *GenericRuleFailure) SetRuntimeAlertEcsDetails(runtimeAlertEcsDetails apitypes.RuntimeAlertECSDetails) {
+	rule.RuntimeAlertECSDetails = runtimeAlertEcsDetails
+}
+
 func (rule *GenericRuleFailure) SetWorkloadDetails(workloadDetails string) {
 	if workloadDetails == "" {
 		return

pkg/utils/datasource_event.go

@@ -889,3 +889,59 @@ func (e *DatasourceEvent) SetExtra(extra interface{}) {
 func (e *DatasourceEvent) SetResponse(response *http.Response) {
 	e.Response = response
 }
+
+// ECS-specific methods - implementing EnrichEvent interface
+func (e *DatasourceEvent) GetEcsClusterName() string {
+	clusterName, _ := e.getFieldAccessor("ecs.clusterName").String(e.Data)
+	return clusterName
+}
+
+func (e *DatasourceEvent) GetEcsClusterARN() string {
+	clusterARN, _ := e.getFieldAccessor("ecs.clusterARN").String(e.Data)
+	return clusterARN
+}
+
+func (e *DatasourceEvent) GetEcsTaskARN() string {
+	taskARN, _ := e.getFieldAccessor("ecs.taskARN").String(e.Data)
+	return taskARN
+}
+
+func (e *DatasourceEvent) GetEcsTaskFamily() string {
+	taskFamily, _ := e.getFieldAccessor("ecs.taskFamily").String(e.Data)
+	return taskFamily
+}
+
+func (e *DatasourceEvent) GetEcsTaskDefinitionARN() string {
+	taskDefARN, _ := e.getFieldAccessor("ecs.taskDefinitionARN").String(e.Data)
+	return taskDefARN
+}
+
+func (e *DatasourceEvent) GetEcsServiceName() string {
+	serviceName, _ := e.getFieldAccessor("ecs.serviceName").String(e.Data)
+	return serviceName
+}
+
+func (e *DatasourceEvent) GetEcsContainerName() string {
+	containerName, _ := e.getFieldAccessor("ecs.containerName").String(e.Data)
+	return containerName
+}
+
+func (e *DatasourceEvent) GetEcsContainerARN() string {
+	containerARN, _ := e.getFieldAccessor("ecs.containerARN").String(e.Data)
+	return containerARN
+}
+
+func (e *DatasourceEvent) GetEcsContainerInstance() string {
+	containerInstance, _ := e.getFieldAccessor("ecs.containerInstance").String(e.Data)
+	return containerInstance
+}
+
+func (e *DatasourceEvent) GetEcsAvailabilityZone() string {
+	availabilityZone, _ := e.getFieldAccessor("ecs.availabilityZone").String(e.Data)
+	return availabilityZone
+}
+
+func (e *DatasourceEvent) GetEcsLaunchType() string {
+	launchType, _ := e.getFieldAccessor("ecs.launchType").String(e.Data)
+	return launchType
+}

pkg/utils/events.go

@@ -46,6 +46,19 @@ type EnrichEvent interface {
 	GetPpid() uint32
 	GetUid() *uint32
 	SetExtra(extra interface{})
+
+	// ECS-specific methods
+	GetEcsClusterName() string
+	GetEcsClusterARN() string
+	GetEcsTaskARN() string
+	GetEcsTaskFamily() string
+	GetEcsTaskDefinitionARN() string
+	GetEcsServiceName() string
+	GetEcsContainerName() string
+	GetEcsContainerARN() string
+	GetEcsContainerInstance() string
+	GetEcsAvailabilityZone() string
+	GetEcsLaunchType() string
 }
 
 type BpfEvent interface {

pkg/utils/struct_event.go

@@ -670,3 +670,48 @@ func (e *StructEvent) SetExtra(extra interface{}) {
 func (e *StructEvent) SetResponse(response *http.Response) {
 	e.Response = response
 }
+
+// ECS-specific methods - implementing EnrichEvent interface
+func (e *StructEvent) GetEcsClusterName() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsClusterARN() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsTaskARN() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsTaskFamily() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsTaskDefinitionARN() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsServiceName() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsContainerName() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsContainerARN() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsContainerInstance() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsAvailabilityZone() string {
+	return ""
+}
+
+func (e *StructEvent) GetEcsLaunchType() string {
+	return ""
+}