Fix: Search not reported events also by previous names of a group. (Redmine issue: #7200)

lib/mentat/reports/event.py

@@ -486,7 +486,7 @@ class EventReporter(BaseReporter):
         count, events = self.eventservice.search_events({
             'st_from':        time_l,
             'st_to':          time_h,
-            'groups':         [abuse_group.name],
+            'groups':         self._get_previous_names(abuse_group),
             'severities':     [severity],
             'categories':     ['Test'],
             'not_categories': not testdata

lib/mentat/reports/test_event.py

@@ -31,7 +31,7 @@ import mentat.idea.internal
 import mentat.reports.utils
 import mentat.reports.event
 from mentat.datatype.sqldb import GroupModel, FilterModel, NetworkModel, \
-    SettingsReportingModel, EventReportModel
+    SettingsReportingModel, EventReportModel, UserModel, ItemChangeLogModel
 from pynspect.jpath import jpath_values
 
 #-------------------------------------------------------------------------------
@@ -120,6 +120,37 @@ class TestMentatReportsEvent(unittest.TestCase):
                 'EventClass' : 'anomaly-traffic',
                 'EventSeverity': 'low'
             }
+        },
+        {
+            'Format': 'IDEA0',
+            'ID': 'msg03',
+            'DetectTime': '2022-02-01T13:00:00Z',
+            'Category': ['Recon.Scanning'],
+            'Description': 'Synthetic example 03',
+            'Source': [
+                {
+                    'IP4': ['9.9.0.0-9.9.255.255']
+                }
+            ],
+            'Target': [
+                {
+                    'IP4': ['11.2.2.0/24']
+                }
+            ],
+            'Node': [
+                {
+                    'Name': 'org.example.dionaea',
+                    'SW': ['Dionaea']
+                }
+            ],
+            'Note': 'Test note containing ; CSV delimiter.',
+            '_Mentat' : {
+                'ResolvedAbuses' : [
+                    'DEMO_GROUP'
+                ],
+                'EventClass' : 'anomaly-traffic',
+                'EventSeverity': 'low'
+            }
         }
     ]
 
@@ -157,15 +188,42 @@ class TestMentatReportsEvent(unittest.TestCase):
             self.eventstorage.insert_event(event)
 
         group = GroupModel(name = 'abuse@cesnet.cz',  source = 'manual', description = 'CESNET, z.s.p.o.')
-        groups_dict = {'abuse@cesnet.cz': group}
+        group2 = GroupModel(name = 'abuse@example.com',  source = 'manual', description = 'Test group')
+        groups_dict = {'abuse@cesnet.cz': group, 'abuse@example.com': group2}
 
         FilterModel(group = group, name = 'FLT1', type = 'basic', filter = 'Node.Name == "org.example.kippo_honey"', description = 'DESC1', enabled = True)
         FilterModel(group = group, name = 'FLT2', type = 'basic', filter = 'Source.IP4 IN [10.0.0.0/24]', description = 'DESC2', enabled = True)
         FilterModel(group = group, name = 'FLT3', type = 'basic', filter = 'Source.IP4 IN [10.0.1.0/28]', description = 'DESC3', enabled = True)
         NetworkModel(group = group, netname = 'UNET1', source = 'manual', network = '10.0.0.0/8')
+        NetworkModel(group = group2, netname = 'UNET2', source = 'manual', network = '9.9.0.0/16')
         SettingsReportingModel(group = group)
+        SettingsReportingModel(group = group2)
+
+        # Create simple user and a changelog capturing renaming of a group.
+        test_user = UserModel(login = 'test_user_123', fullname = 'Test User', email = 'user@example.com', organization = 'example.com')
+        ItemChangeLogModel(
+            author = test_user,
+            model_id = 2,
+            model = 'GroupModel',
+            endpoint = 'groups.update',
+            module = 'groups',
+            operation = 'update',
+            # Use simplified dictionary containing just one attribute.
+            before = '''{
+                "name": "DEMO_GROUP"
+            }''',
+            after = '''{
+                "name": "abuse@example.com"
+            }''',
+            diff = '''{
+                -"name": "DEMO_GROUP"
+                +"name": "abuse@example.com"
+            }'''
+        )
 
         self.sqlstorage.session.add(group)
+        self.sqlstorage.session.add(group2)
+        self.sqlstorage.session.add(test_user)
         self.sqlstorage.session.commit()
 
         self.reporting_settings = mentat.reports.utils.ReportingSettings(group)
@@ -338,6 +396,7 @@ class TestMentatReportsEvent(unittest.TestCase):
         self.maxDiff = None
 
         abuse_group = self.sqlstorage.session.query(GroupModel).filter(GroupModel.name == 'abuse@cesnet.cz').one()
+        abuse_group2 = self.sqlstorage.session.query(GroupModel).filter(GroupModel.name == 'abuse@example.com').one()
         self.sqlstorage.session.commit()
 
         events = self.reporter.fetch_severity_events(
@@ -348,6 +407,15 @@ class TestMentatReportsEvent(unittest.TestCase):
         )
         self.assertEqual(list(map(lambda x: x['ID'], events)), ['msg01', 'msg02'])
 
+        # Fetch severity events with the previous name of the abuse group.
+        events = self.reporter.fetch_severity_events(
+            abuse_group2,
+            'low',
+            datetime.datetime.utcnow() - datetime.timedelta(seconds = 7200),
+            datetime.datetime.utcnow() + datetime.timedelta(seconds = 7200)
+        )
+        self.assertEqual(list(map(lambda x: x['ID'], events)), ['msg03'])
+
         events = self.reporter.fetch_severity_events(
             abuse_group,
             'medium',