django-nativemojo 0.1.10__py3-none-any.whl

mojo/apps/incident/models/rule.py

@@ -0,0 +1,247 @@
+from django.db import models
+from mojo.models import MojoModel
+from urllib.parse import urlparse, parse_qs
+from mojo.apps.incident.handlers import TaskHandler, EmailHandler, NotifyHandler
+import re
+
+
+class RuleSet(models.Model, MojoModel):
+    """
+    A RuleSet represents a collection of rules that are applied to events.
+    This model supports categorizing and prioritizing sets of rules to be checked against events.
+
+    Attributes:
+        created (datetime): The timestamp when the RuleSet was created.
+        modified (datetime): The timestamp when the RuleSet was last modified.
+        priority (int): The priority of the RuleSet. Lower numbers indicate higher priority.
+        category (str): The category to which this RuleSet belongs.
+        name (str): The name of the RuleSet.
+        bundle (int): Indicator of whether events should be bundled. 0 means bundling is off.
+        bundle_by (int): Defines how events are bundled.
+                         0=none, 1=hostname, 2=model, 3=model and hostname.
+        match_by (int): Defines the matching behavior for events.
+                        0 for all rules must match, 1 for any rule can match.
+        handler (str): A field specifying a chain of handlers to process the event,
+                       formatted as URL-like strings, e.g.,
+                       task://handler_name?param1=value1&param2=value2.
+                       Handlers are separated by commas, and they can include
+                       different schemes like email or notify.
+        metadata (json): A JSON field to store additional metadata about the RuleSet.
+    """
+
+    created = models.DateTimeField(auto_now_add=True)
+    modified = models.DateTimeField(auto_now=True)
+    priority = models.IntegerField(default=0, db_index=True)
+    category = models.CharField(max_length=124, db_index=True)
+    name = models.TextField(default=None, null=True)
+    bundle_minutes = models.IntegerField(default=0)  # 0=off
+    # 0=none, 1=hostname, 2=model_name, 3=model_name and model_id, 4=source_ip
+    # 5=hostname and model_name, 6=hostname and model_name and model_id,
+    # 7=source_ip and model_name, 8=source_ip and model_name and model_id
+    # 9=source_ip and hostname
+    bundle_by = models.IntegerField(default=3)
+    match_by = models.IntegerField(default=0)  # 0=all, 1=any
+    # handler syntax is a url like string that can be chained by commas
+    # task://handler_name?param1=value1&param2=value2
+    # email://user@example.com
+    # notify://perm@permission,user@example.com,task://handler_name?param1=value1&param2=value2
+    handler = models.TextField(default=None, null=True)
+    metadata = models.JSONField(default=dict, blank=True)
+
+    class RestMeta:
+        SEARCH_FIELDS = ["name"]
+        VIEW_PERMS = ["view_incidents"]
+        CREATE_PERMS = None
+
+    def run_handler(self, event, incident=None):
+        """
+        Runs the handler for this rule.
+
+        Args:
+            event (Event): The event to run the handler for.
+
+        Returns:
+            bool: True if the handler was successfully run, False otherwise.
+        """
+        if not self.handler:
+            return False
+        try:
+            handler_url = urlparse(self.handler)
+            handler_type = handler_url.scheme
+            handler_params = parse_qs(handler_url.query)
+            if handler_type == "task":
+                handler_name = handler_url.netloc
+                handler_params = {k: v[0] for k, v in handler_params.items()}
+                handler = TaskHandler(handler_name, **handler_params)
+            elif handler_type == "email":
+                handler = EmailHandler(handler_url.netloc)
+            elif handler_type == "notify":
+                handler = NotifyHandler(handler_url.netloc)
+            else:
+                raise ValueError(f"Unsupported handler type: {handler_type}")
+            return handler.run(event)
+        except Exception as e:
+            # logger.error(f"Error running handler for rule {self.id}: {e}")
+            return False
+
+    def check_rules(self, event):
+        """
+        Checks if an event satisfies the rules in this RuleSet based
+        on the match_by configuration.
+
+        Args:
+            event (Event): The event to check against the RuleSet.
+
+        Returns:
+            bool: True if the event matches the RuleSet, False otherwise.
+        """
+        if self.match_by == 0:
+            return self.check_all_match(event)
+        return self.check_any_match(event)
+
+    def check_all_match(self, event):
+        """
+        Checks if an event satisfies all rules in this RuleSet.
+
+        Args:
+            event (Event): The event to check.
+
+        Returns:
+            bool: True if the event matches all rules, False otherwise.
+        """
+        if not self.rules.exists():
+            return False
+        return all(rule.check_rule(event) for rule in self.rules.all())
+
+    def check_any_match(self, event):
+        """
+        Checks if an event satisfies any rule in this RuleSet.
+
+        Args:
+            event (Event): The event to check.
+
+        Returns:
+            bool: True if the event matches any rule, False otherwise.
+        """
+        if not self.rules.exists():
+            return False
+        return any(rule.check_rule(event) for rule in self.rules.all())
+
+    @classmethod
+    def check_by_category(cls, category, event):
+        """
+        Iterates over RuleSets in a category ordered by priority, checking
+        if the event satisfies any of the RuleSets.
+
+        Args:
+            category (str): The category of the RuleSets to check.
+            event (Event): The event to check.
+
+        Returns:
+            RuleSet: The first RuleSet that matches the event, or None if no matches are found.
+        """
+        for rule_set in cls.objects.filter(category=category).order_by("priority"):
+            if rule_set.check_rules(event):
+                return rule_set
+        return None
+
+
+class Rule(models.Model, MojoModel):
+    """
+    A Rule represents a single condition that can be checked against an event.
+    Each rule belongs to a specific RuleSet and defines how to compare event data fields.
+
+    Attributes:
+        created (datetime): The timestamp when the Rule was created.
+        modified (datetime): The timestamp when the Rule was last modified.
+        parent (RuleSet): The RuleSet to which this Rule belongs.
+        name (str): The name of the Rule.
+        index (int): The order in which this Rule should be checked within its RuleSet.
+        comparator (str): The operation used to compare the event field value with a target value.
+        field_name (str): The name of the field in the event to check against.
+        value (str): The target value to compare the event field value with.
+        value_type (str): The type of the target value (e.g., int, float).
+        is_required (int): Indicates if this Rule is mandatory for an event to match. 0=no, 1=yes.
+    """
+
+    created = models.DateTimeField(auto_now_add=True)
+    modified = models.DateTimeField(auto_now=True)
+    parent = models.ForeignKey(RuleSet, on_delete=models.CASCADE, related_name="rules")
+    name = models.TextField(default=None, null=True)
+    index = models.IntegerField(default=0, db_index=True)
+    comparator = models.CharField(max_length=32, default="==")
+    field_name = models.CharField(max_length=124, default=None, null=True)
+    value = models.CharField(max_length=124, default="")
+    value_type = models.CharField(max_length=10, default="int")
+    is_required = models.IntegerField(default=0)  # 0=no 1=yes
+
+    class RestMeta:
+        SEARCH_FIELDS = ["details"]
+        VIEW_PERMS = ["view_incidents"]
+        CREATE_PERMS = ["manage_incidents"]
+
+    def check_rule(self, event):
+        """
+        Checks if a field in the event matches the criteria defined in this Rule.
+
+        Args:
+            event (Event): The event to check.
+
+        Returns:
+            bool: True if the event field matches the criteria, False otherwise.
+        """
+        field_value = event.metadata.get(self.field_name, None)
+        if field_value is None:
+            return False
+
+        comp_value = self.value
+        field_value, comp_value = self._convert_values(field_value, comp_value)
+
+        if field_value is None or comp_value is None:
+            return False
+
+        return self._compare(field_value, comp_value)
+
+    def _convert_values(self, field_value, comp_value):
+        """
+        Converts the field and comparison values to the appropriate types.
+
+        Args:
+            field_value: The value from the event to be converted.
+            comp_value: The value defined in the Rule for comparison.
+
+        Returns:
+            tuple: A tuple containing the converted field and comparison values.
+        """
+        if self.comparator != "contains":
+            try:
+                if self.value_type == "int":
+                    return int(field_value), int(comp_value)
+                elif self.value_type == "float":
+                    return float(field_value), float(comp_value)
+            except ValueError:
+                return None, None
+        return field_value, comp_value
+
+    def _compare(self, field_value, comp_value):
+        """
+        Compares the field value to the comparison value using the specified comparator.
+
+        Args:
+            field_value: The value from the event to compare.
+            comp_value: The target value defined in the Rule for comparison.
+
+        Returns:
+            bool: True if the comparison is successful, False otherwise.
+        """
+        comparators = {
+            "==": field_value == comp_value,
+            "eq": field_value == comp_value,
+            ">": field_value > comp_value,
+            ">=": field_value >= comp_value,
+            "<": field_value < comp_value,
+            "<=": field_value <= comp_value,
+            "contains": str(comp_value) in str(field_value),
+            "regex": re.search(str(comp_value), str(field_value), re.IGNORECASE) is not None,
+        }
+        return comparators.get(self.comparator, False)

mojo/apps/incident/parsers/ossec/__init__.py

@@ -0,0 +1 @@
+from .core import parse_incoming_alert as parse

mojo/apps/incident/parsers/ossec/core.py

@@ -0,0 +1,82 @@
+# parser_core.py
+from . import rules, utils
+from .parsed import ParsedAlert
+from objict import objict
+
+def parse_incoming_alert(data):
+    if "batch" in data:
+        alerts = []
+        for item in data["batch"]:
+            alerts.append(parse_incoming_alert(item))
+        return alerts
+
+    alert = ParsedAlert(parse_alert_json(data))
+    if utils.ignore_alert(alert):
+        return None
+
+    details = utils.parse_rule_details(alert.text)
+    for key, value in details.items():
+        if key not in alert:
+            alert[key] = value
+    alert.update(details)
+    if not alert.title:
+        return None
+
+    alert.update(parse_alert_metadata(alert))
+    alert.normalize_fields()
+
+    update_by_rule(alert)
+
+    return alert
+
+
+def parse_alert_metadata(alert):
+    rule_id = str(alert.rule_id)
+
+    # Try exact match first: parse_rule_2501
+    func_name = f"parse_rule_{rule_id}"
+    if hasattr(rules, func_name):
+        return getattr(rules, func_name)(alert)
+
+    # Optional: try prefix-based match
+    for i in range(len(rule_id), 1, -1):  # e.g., 31151 → 3115 → 311 → 31
+        fallback_func = f"parse_rule_{rule_id[:i]}_default"
+        if hasattr(rules, fallback_func):
+            return getattr(rules, fallback_func)(alert)
+
+    # Fallback to generic matching
+    return utils.match_patterns(utils.DEFAULT_META_PATTERNS, alert.text)
+
+
+def update_by_rule(alert, geoip=None):
+    rule_id = str(alert.rule_id)
+    func_name = f"update_rule_{rule_id}"
+    if hasattr(rules, func_name):
+        getattr(rules, func_name)(alert, geoip)
+        return
+
+    for i in range(len(rule_id), 1, -1):
+        fallback_func = f"update_rule_{rule_id[:i]}_default"
+        if hasattr(rules, fallback_func):
+            getattr(rules, fallback_func)(alert, geoip)
+            return
+
+    if hasattr(alert, 'source_ip') and alert.source_ip and alert.source_ip not in getattr(alert, 'title', ''):
+        alert.title = f"{alert.title} Source IP: {alert.source_ip}"
+
+    if hasattr(alert, 'title'):
+        alert.truncate('title')
+
+
+
+def parse_alert_json(data):
+    if isinstance(data, str):
+        data = objict.from_json(utils.remove_non_ascii(data.replace('\n', '\\n')))
+
+    for key in data:
+        if isinstance(data[key], str):
+            data[key] = data[key].strip() # .replace('\\/', '/')
+
+    if hasattr(data, 'text'):
+        data.text = utils.remove_non_ascii(data.text) # .replace('\\/', '/')
+    return data

mojo/apps/incident/parsers/ossec/parsed.py

@@ -0,0 +1,23 @@
+# parsed_alert.py
+
+from objict import objict
+
+class ParsedAlert(objict):
+    def normalize_fields(self):
+        if self.source_ip in [None, "-"] and hasattr(self, "client"):
+            self.source_ip = self.client
+        if not hasattr(self, "ext_ip") or self.ext_ip in [None, "-"]:
+            self.ext_ip = self.source_ip
+
+    def truncate(self, field, max_len=199):
+        value = getattr(self, field, "")
+        if isinstance(value, str) and len(value) > max_len:
+            value = value[:max_len]
+            value = value[:value.rfind(' ')] + "..."
+            setattr(self, field, value)
+
+    def truncate_str(self, text, max_len=199):
+        if len(text) > max_len:
+            text = text[:max_len]
+            text = text[:text.rfind(' ')] + "..."
+        return text

mojo/apps/incident/parsers/ossec/rules.py

@@ -0,0 +1,124 @@
+import re
+from .utils import parse_nginx_line, match_patterns, DEFAULT_META_PATTERNS
+
+# ---- Rule-specific handlers ----
+
+def parse_rule_2501(alert):
+    match = re.search(r'user (\w+) (\d+\.\d+\.\d+\.\d+) port (\d+)', alert.text)
+    if match:
+        return dict(username=match.group(1), source_ip=match.group(2), source_port=match.group(3))
+    return {}
+
+def parse_rule_31301(alert):
+    match = re.search(r'\((?P<error_code>\d+): (?P<error_message>.*?)\)', alert.text)
+    data = match_patterns(DEFAULT_META_PATTERNS, alert.text)
+    data["action"] = "error"
+    if match:
+        data.update(match.groupdict())
+    return data
+
+def parse_rule_31302(alert):
+    return _parse_nginx_error(alert)
+
+def parse_rule_31303(alert):
+    return _parse_nginx_error(alert)
+
+def _parse_nginx_error(alert):
+    match = re.search(r'\[(warn|crit|error)\].*?: (.*?),', alert.text)
+    data = match_patterns(DEFAULT_META_PATTERNS, alert.text)
+    if match:
+        data["action"] = match.group(1)
+        emsg = match.group(2)
+        if emsg.startswith("*"):
+            emsg = emsg.split(" ", 1)[-1]
+        data["error_message"] = emsg
+    return data
+
+def parse_rule_551(alert):
+    match = re.search(r"Integrity checksum changed for: '(\S+)'", alert.text)
+    if match:
+        return dict(filename=match.group(1), action="changed")
+    return {}
+
+def parse_rule_554(alert):
+    match = re.search(r"New file '(\S+)' added", alert.text)
+    if match:
+        return dict(filename=match.group(1), action="added")
+    return {}
+
+def parse_rule_5402(alert):
+    match = re.search(r'(?P<username>[\w-]+) : PWD=(?P<pwd>\S+) ; USER=(?P<user>\w+) ; COMMAND=(?P<command>.+)', alert.text)
+    if match:
+        return match.groupdict()
+    match = re.search(r'(?P<username>[\w-]+) : TTY=(?P<tty>\S+) ; PWD=(?P<pwd>\S+) ; USER=(?P<user>\w+) ; COMMAND=(?P<command>.+)', alert.text)
+    if match:
+        return match.groupdict()
+    return {}
+
+def parse_rule_5501(alert):
+    return _parse_session_action(alert)
+
+def parse_rule_5502(alert):
+    return _parse_session_action(alert)
+
+def _parse_session_action(alert):
+    match = re.search(r"session (?P<action>\S+) for user (?P<username>\S+)*", alert.text)
+    if match:
+        return match.groupdict()
+    return {}
+
+def parse_rule_5704(alert):
+    return _parse_src_ip_port(alert)
+
+def parse_rule_5705(alert):
+    return _parse_src_ip_port(alert)
+
+def _parse_src_ip_port(alert):
+    match = re.search(r"(?P<source_ip>\d{1,3}(?:\.\d{1,3}){3}) port (?P<source_port>\d+)", alert.text)
+    if match:
+        return match.groupdict()
+    return {}
+
+def parse_rule_5715(alert):
+    match = re.search(r'Accepted publickey for (?P<username>\S+) from (?P<source_ip>\d+\.\d+\.\d+\.\d+) .*: (?P<ssh_key_type>\S+) (?P<ssh_signature>\S+)', alert.text)
+    if match:
+        return match.groupdict()
+    return {}
+
+def parse_rule_2932(alert):
+    match = re.search(r"Installed: (\S+)", alert.text)
+    if match:
+        return dict(package=match.group(1))
+    return {}
+
+# ---- Prefix-based default handlers ----
+
+def parse_rule_311_default(alert):
+    data = parse_nginx_line(alert.text)
+    return data if data else {}
+
+
+
+def update_rule_2501(alert, geoip=None):
+    alert.title = f"SSH Auth Attempt {alert.username}@{alert.hostname} from {alert.src_ip}"
+
+def update_rule_2503(alert, geoip=None):
+    alert.title = f"SSH Auth Blocked from {alert.source_ip}"
+
+def update_rule_31101(alert, geoip=None):
+    alert.title = f"Web {alert.http_status} {alert.http_method} {alert.http_url} from {alert.src_ip}"
+
+def update_rule_31104(alert, geoip=None):
+    alert.title = f"Web Attack {alert.http_status} {alert.http_method} {alert.http_url} from {alert.src_ip}"
+
+def update_rule_31111(alert, geoip=None):
+    if geoip and geoip.isp:
+        alert.title = f"No referrer for .js - {alert.http_status} {alert.http_method} {alert.http_url} from {alert.src_ip}({geoip.isp})"
+    else:
+        alert.title = f"No referrer for .js - {alert.http_status} {alert.http_method} {alert.http_url} from {alert.src_ip}"
+
+def update_rule_311_default(alert, geoip=None):
+    if not alert.http_status:
+        return
+    url = alert.truncate_str(alert.http_url, 50)
+    alert.title = f"Web {alert.http_status} {alert.http_method} {url} from {alert.src_ip}"

mojo/apps/incident/parsers/ossec/utils.py

@@ -0,0 +1,169 @@
+import re
+from objict import objict
+
+# -------------------------------
+# JSON Parsing & Normalization
+# -------------------------------
+
+def remove_non_ascii(input_str, replacement=''):
+    """
+    Replace all non-ASCII characters and escaped byte sequences with a replacement.
+    """
+    # Replace escaped byte sequences like \xHH
+    cleaned_str = re.sub(r'\\x[0-9a-fA-F]{2}', replacement, input_str)
+    return ''.join(
+        char if (32 <= ord(char) < 128 or char in '\n\r\t')
+        else f"<r{ord(char)}>"
+        for char in cleaned_str
+    )
+
+def parse_alert_json(data):
+    """
+    Convert JSON (string or obj) into objict, removing non-ASCII content and normalizing fields.
+    """
+    try:
+        if isinstance(data, str):
+            data = objict.from_json(remove_non_ascii(data.replace('\n', '\\n')))
+    except Exception:
+        data = objict.from_json(remove_non_ascii(data))
+
+    for key in data:
+        if isinstance(data[key], str):
+            data[key] = data[key].strip()
+
+    if hasattr(data, 'text'):
+        data.text = remove_non_ascii(data.text)
+
+    return data
+
+# -------------------------------
+# Rule Details Parsing
+# -------------------------------
+
+def parse_alert_id(details):
+    """
+    Extract the alert ID (float string) from a log message.
+    """
+    match = re.search(r"Alert (\d+\.\d+):", details)
+    return match.group(1) if match else ""
+
+def parse_rule_details(details):
+    """
+    Extract rule_id, level, and title from the Rule line in OSSEC logs.
+    """
+    # alert_id = parse_alert_id(details)
+    rule_pattern = r"Rule: (\d+) \(level (\d+)\) -> '([^']+)'"
+    match = re.search(rule_pattern, details)
+    if match:
+        return objict(
+            rule_id=int(match.group(1)),
+            level=int(match.group(2)),
+            title=match.group(3)
+        )
+    return objict()
+
+# -------------------------------
+# Generic Pattern Matching
+# -------------------------------
+
+DEFAULT_META_PATTERNS = {
+    "source_ip": re.compile(r"Src IP: (\S+)"),
+    "source_port": re.compile(r"Src Port: (\S+)"),
+    "user": re.compile(r"User: (\S+)"),
+    "http_path": re.compile(r"request: (\S+ \S+)"),
+    "http_server": re.compile(r"server: (\S+),"),
+    "http_host": re.compile(r"host: (\S+)"),
+    "http_referrer": re.compile(r"referrer: (\S+),"),
+    "client": re.compile(r"client: (\S+),"),
+    "upstream": re.compile(r"upstream: (\S+),")
+}
+
+def match_patterns(patterns, text):
+    """
+    Apply regex patterns to a given string and return matched named groups.
+    """
+    return {
+        key: match.group(1)
+        for key, pattern in patterns.items()
+        if (match := pattern.search(text))
+    }
+
+# -------------------------------
+# NGINX Log Parsing
+# -------------------------------
+
+NGINX_PARSE_PATTERN = re.compile(
+    r'(?P<source_ip>\d+\.\d+\.\d+\.\d+) - - \[(?P<http_time>.+?)\] '
+    r'(?P<http_method>\w+) (?P<http_url>.+?) (?P<http_protocol>[\w/.]+) '
+    r'(?P<http_status>\d+) (?P<http_bytes>\d+) (?P<http_referer>.+?) '
+    r'(?P<user_agent>.+?) (?P<http_elapsed>\d\.\d{3})'
+)
+
+def parse_nginx_line(line):
+    """
+    Attempt to parse an NGINX access log line into a structured dict.
+    Supports multiline input by splitting and scanning each.
+    """
+    lines = line.splitlines()
+    for l in lines:
+        match = NGINX_PARSE_PATTERN.match(l)
+        if match:
+            return match.groupdict()
+    return None
+
+def extract_url(text):
+    """
+    Extracts a full URL from a line that includes an HTTP method and version.
+    Example match: 'GET https://example.com/path HTTP/1.1'
+    """
+    match = re.search(r"(GET|POST|DELETE|PUT)\s+(https?://[^\s]+)\s+HTTP/\d\.\d", text)
+    return match.group(2) if match else None
+
+def extract_domain(text):
+    """
+    Extracts the domain from a full URL (e.g. 'https://example.com/path' → 'example.com').
+    """
+    match = re.search(r"https?://([^/:]+)", text)
+    return match.group(1) if match else None
+
+def extract_ip(text):
+    """
+    Extracts the first IPv4 address found in a string.
+    """
+    match = re.search(r"\b((?:[0-9]{1,3}\.){3}[0-9]{1,3})\b", text)
+    return match.group(1) if match else None
+
+def extract_url_path(text):
+    """
+    Extracts the path component from a URL (e.g. 'https://example.com/foo/bar?q=1' → '/foo/bar').
+    """
+    match = re.search(r"https?://[^/]+(/[^?]*)", text)
+    return match.group(1) if match else None
+
+def extract_user_agent(text):
+    """
+    Attempts to extract a user agent string following a NGINX-style referrer '-' marker.
+    Only works for logs like: '... '-' <user agent> 1.234 200'
+    """
+    match = re.search(r"' - (.+?) \d+\.\d+ \d+'", text)
+    return match.group(1) if match else None
+
+
+IGNORE_RULES = {
+    "100020",
+}
+
+def ignore_alert(alert):
+    """
+    Returns True if this alert should be ignored based on known rule exclusions
+    or content patterns.
+    """
+    rule_id = str(alert.rule_id)
+
+    if rule_id in IGNORE_RULES:
+        return True
+
+    if rule_id == "510" and "/dev/.mount/utab" in alert.text:
+        return True
+
+    return False

mojo/apps/incident/reporter.py

@@ -0,0 +1,42 @@
+
+def report_event(details, title=None, category="api_error", level=1, request=None, **kwargs):
+    from .models import Event
+    event_data = _create_event_dict(details, title, category, level, request, **kwargs)
+    event = Event(**event_data)
+    event.sync_metadata()
+    event.save()
+    event.publish()
+
+
+def _create_event_dict(details, title=None, category="api_error", level=1, request=None, **kwargs):
+    if title is None:
+        title = details[:50]
+
+    event_data = {
+        "details": details,
+        "title": title,
+        "category": category,
+        "level": level,
+        "hostname": kwargs.pop("hostname", None),
+        "model_name": kwargs.pop("model_name", None),
+        "model_id": kwargs.pop("model_id", None),
+        "source_ip": kwargs.pop("source_ip", None)
+    }
+
+    event_metadata = {}
+
+    if request:
+        event_data["source_ip"] = request.ip if event_data["source_ip"] is None else event_data["source_ip"]
+        event_metadata.update({
+            "request_ip": request.ip,
+            "http_path": request.path,
+            "http_protocol": request.META.get("SERVER_PROTOCOL", ""),
+            "http_method": request.method,
+            "http_query_string": request.META.get("QUERY_STRING", ""),
+            "http_user_agent": request.META.get("HTTP_USER_AGENT", ""),
+            "http_host": request.META.get("HTTP_HOST", "")
+        })
+
+    event_metadata.update({k: v for k, v in kwargs.items() if k not in event_data})
+    event_data['metadata'] = event_metadata
+    return event_data