Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport to 2.x] Backport to 2.x #803, #918, and #914 #930

Merged
merged 3 commits into from
Mar 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
package org.opensearch.securityanalytics.action;

import java.io.IOException;
import java.time.Instant;
import java.util.List;
import java.util.Locale;
import org.opensearch.action.ActionRequest;
import org.opensearch.action.ActionRequestValidationException;
Expand All @@ -18,9 +20,14 @@

public class GetFindingsRequest extends ActionRequest {

private List<String> findingIds;
private Instant startTime;
private Instant endTime;
private String logType;
private String detectorId;
private Table table;
private String severity;
private String detectionType;

public static final String DETECTOR_ID = "detector_id";

Expand All @@ -32,22 +39,36 @@
this(
sin.readOptionalString(),
sin.readOptionalString(),
Table.readFrom(sin)
Table.readFrom(sin),
sin.readOptionalString(),
sin.readOptionalString(),
sin.readOptionalStringList(),
sin.readOptionalInstant(),
sin.readOptionalInstant()

Check warning on line 47 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L42-L47

Added lines #L42 - L47 were not covered by tests
);
}

public GetFindingsRequest(String detectorId, String logType, Table table) {
public GetFindingsRequest(String detectorId, String logType, Table table, String severity, String detectionType, List<String> findingIds, Instant startTime, Instant endTime) {

Check warning on line 51 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L51

Added line #L51 was not covered by tests
this.detectorId = detectorId;
this.logType = logType;
this.table = table;
this.severity = severity;
this.detectionType = detectionType;
this.findingIds = findingIds;
this.startTime = startTime;
this.endTime = endTime;

Check warning on line 59 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L55-L59

Added lines #L55 - L59 were not covered by tests
}

@Override
public ActionRequestValidationException validate() {
ActionRequestValidationException validationException = null;
if ((detectorId == null || detectorId.length() == 0) && logType == null) {
if (detectorId != null && detectorId.length() == 0) {
validationException = addValidationError(String.format(Locale.getDefault(),

Check warning on line 66 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L66

Added line #L66 was not covered by tests
"detector_id is missing"),
validationException);
} else if(startTime != null && endTime != null && startTime.isAfter(endTime)) {
validationException = addValidationError(String.format(Locale.getDefault(),
"At least one of detector type or detector id needs to be passed", DETECTOR_ID),
"startTime should be less than endTime"),
validationException);
}
return validationException;
Expand All @@ -58,17 +79,42 @@
out.writeOptionalString(detectorId);
out.writeOptionalString(logType);
table.writeTo(out);
out.writeOptionalString(severity);
out.writeOptionalString(detectionType);
out.writeOptionalStringCollection(findingIds);
out.writeOptionalInstant(startTime);
out.writeOptionalInstant(endTime);

Check warning on line 86 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L82-L86

Added lines #L82 - L86 were not covered by tests
}

public String getDetectorId() {
return detectorId;
}

public String getSeverity() {
return severity;

Check warning on line 94 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L94

Added line #L94 was not covered by tests
}

public String getDetectionType() {
return detectionType;

Check warning on line 98 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L98

Added line #L98 was not covered by tests
}

public String getLogType() {
return logType;
}

public Table getTable() {
return table;
}

public List<String> getFindingIds() {
return findingIds;

Check warning on line 110 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L110

Added line #L110 was not covered by tests
}

public Instant getStartTime() {
return startTime;

Check warning on line 114 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L114

Added line #L114 was not covered by tests
}

public Instant getEndTime() {
return endTime;

Check warning on line 118 in src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/action/GetFindingsRequest.java#L118

Added line #L118 was not covered by tests
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
*/
package org.opensearch.securityanalytics.findings;

import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
Expand All @@ -12,6 +13,7 @@
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.join.ScoreMode;
import org.opensearch.OpenSearchStatusException;
import org.opensearch.core.action.ActionListener;
import org.opensearch.client.Client;
Expand All @@ -21,6 +23,11 @@
import org.opensearch.commons.alerting.model.FindingWithDocs;
import org.opensearch.commons.alerting.model.Table;
import org.opensearch.core.rest.RestStatus;
import org.opensearch.index.query.BoolQueryBuilder;
import org.opensearch.index.query.PrefixQueryBuilder;
import org.opensearch.index.query.NestedQueryBuilder;
import org.opensearch.index.query.QueryBuilder;
import org.opensearch.index.query.QueryBuilders;
import org.opensearch.securityanalytics.action.FindingDto;
import org.opensearch.securityanalytics.action.GetDetectorAction;
import org.opensearch.securityanalytics.action.GetDetectorRequest;
Expand Down Expand Up @@ -52,7 +59,12 @@
* @param table group of search related parameters
* @param listener ActionListener to get notified on response or error
*/
public void getFindingsByDetectorId(String detectorId, Table table, ActionListener<GetFindingsResponse> listener ) {
public void getFindingsByDetectorId(String detectorId, Table table, String severity,
String detectionType,
List<String> findingIds,
Instant startTime,
Instant endTime,
ActionListener<GetFindingsResponse> listener ) {
this.client.execute(GetDetectorAction.INSTANCE, new GetDetectorRequest(detectorId, -3L), new ActionListener<>() {

@Override
Expand Down Expand Up @@ -102,6 +114,11 @@
new ArrayList<>(monitorToDetectorMapping.keySet()),
DetectorMonitorConfig.getAllFindingsIndicesPattern(detector.getDetectorType()),
table,
severity,
detectionType,
findingIds,
startTime,
endTime,
getFindingsResponseListener
);
}
Expand All @@ -126,18 +143,21 @@
List<String> monitorIds,
String findingIndexName,
Table table,
String severity,
String detectionType,
List<String> findingIds,
Instant startTime,
Instant endTime,
ActionListener<GetFindingsResponse> listener
) {

BoolQueryBuilder queryBuilder = getBoolQueryBuilder(detectionType, severity, findingIds, startTime, endTime);

Check warning on line 153 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L153

Added line #L153 was not covered by tests
org.opensearch.commons.alerting.action.GetFindingsRequest req =
new org.opensearch.commons.alerting.action.GetFindingsRequest(
null,
table,
null,
findingIndexName,
monitorIds
findingIndexName, monitorIds, queryBuilder
);

AlertingPluginInterface.INSTANCE.getFindings((NodeClient) client, req, new ActionListener<>() {
@Override
public void onResponse(
Expand All @@ -163,6 +183,59 @@

}

private static BoolQueryBuilder getBoolQueryBuilder(String detectionType, String severity, List<String> findingIds, Instant startTime, Instant endTime) {
// Construct the query within the search source builder
BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery();

Check warning on line 188 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L188

Added line #L188 was not covered by tests

if (detectionType != null && !detectionType.isBlank()) {
QueryBuilder nestedQuery;
if (detectionType.equalsIgnoreCase("threat")) {
nestedQuery = QueryBuilders.boolQuery().filter(

Check warning on line 193 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L193

Added line #L193 was not covered by tests
new PrefixQueryBuilder("queries.id", "threat_intel_")
);
} else {
nestedQuery = QueryBuilders.boolQuery().mustNot(

Check warning on line 197 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L197

Added line #L197 was not covered by tests
new PrefixQueryBuilder("queries.id", "threat_intel_")
);
}

// Create a nested query builder
NestedQueryBuilder nestedQueryBuilder = QueryBuilders.nestedQuery(

Check warning on line 203 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L203

Added line #L203 was not covered by tests
"queries",
nestedQuery,
ScoreMode.None
);

// Add the nested query to the bool query
boolQueryBuilder.must(nestedQueryBuilder);

Check warning on line 210 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L210

Added line #L210 was not covered by tests
}

if (findingIds != null && !findingIds.isEmpty()) {
boolQueryBuilder.filter(QueryBuilders.termsQuery("id", findingIds));

Check warning on line 214 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L214

Added line #L214 was not covered by tests
}


if (startTime != null && endTime != null) {
long startTimeMillis = startTime.toEpochMilli();
long endTimeMillis = endTime.toEpochMilli();
QueryBuilder timeRangeQuery = QueryBuilders.rangeQuery("timestamp")
.from(startTimeMillis) // Greater than or equal to start time
.to(endTimeMillis); // Less than or equal to end time
boolQueryBuilder.filter(timeRangeQuery);

Check warning on line 224 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L219-L224

Added lines #L219 - L224 were not covered by tests
}

if (severity != null) {
boolQueryBuilder.must(QueryBuilders.nestedQuery(

Check warning on line 228 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L228

Added line #L228 was not covered by tests
"queries",
QueryBuilders.boolQuery().should(
QueryBuilders.matchQuery("queries.tags", severity)

Check warning on line 231 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L230-L231

Added lines #L230 - L231 were not covered by tests
),
ScoreMode.None
));
}
return boolQueryBuilder;

Check warning on line 236 in src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java#L236

Added line #L236 was not covered by tests
}

void setIndicesAdminClient(Client client) {
this.client = client;
}
Expand All @@ -171,6 +244,11 @@
List<Detector> detectors,
String logType,
Table table,
String severity,
String detectionType,
List<String> findingIds,
Instant startTime,
Instant endTime,
ActionListener<GetFindingsResponse> listener
) {
if (detectors.size() == 0) {
Expand All @@ -195,6 +273,11 @@
allMonitorIds,
DetectorMonitorConfig.getAllFindingsIndicesPattern(logType),
table,
severity,
detectionType,
findingIds,
startTime,
endTime,
new ActionListener<>() {
@Override
public void onResponse(GetFindingsResponse getFindingsResponse) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@
package org.opensearch.securityanalytics.resthandler;

import java.io.IOException;
import java.time.DateTimeException;
import java.time.Instant;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import org.opensearch.client.node.NodeClient;
Expand Down Expand Up @@ -40,6 +44,35 @@
int size = request.paramAsInt("size", 20);
int startIndex = request.paramAsInt("startIndex", 0);
String searchString = request.param("searchString", "");
String severity = request.param("severity", null);
String detectionType = request.param("detectionType", null);
List<String> findingIds = null;

Check warning on line 49 in src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java#L47-L49

Added lines #L47 - L49 were not covered by tests
if (request.param("findingIds") != null) {
findingIds = Arrays.asList(request.param("findingIds").split(","));

Check warning on line 51 in src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java#L51

Added line #L51 was not covered by tests
}
Instant startTime = null;
String startTimeParam = request.param("startTime");

Check warning on line 54 in src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java#L53-L54

Added lines #L53 - L54 were not covered by tests
if (startTimeParam != null && !startTimeParam.isEmpty()) {
try {
startTime = Instant.ofEpochMilli(Long.parseLong(startTimeParam));
} catch (NumberFormatException | NullPointerException | DateTimeException e) {

Check warning on line 58 in src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java#L57-L58

Added lines #L57 - L58 were not covered by tests
// Handle the parsing error
// For example, log the error or provide a default value
startTime = Instant.now(); // Default value or fallback
}

Check warning on line 62 in src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java#L61-L62

Added lines #L61 - L62 were not covered by tests
}

Instant endTime = null;
String endTimeParam = request.param("endTime");

Check warning on line 66 in src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java#L65-L66

Added lines #L65 - L66 were not covered by tests
if (endTimeParam != null && !endTimeParam.isEmpty()) {
try {
endTime = Instant.ofEpochMilli(Long.parseLong(endTimeParam));
} catch (NumberFormatException | NullPointerException | DateTimeException e) {

Check warning on line 70 in src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java#L69-L70

Added lines #L69 - L70 were not covered by tests
// Handle the parsing error
// For example, log the error or provide a default value
endTime = Instant.now(); // Default value or fallback
}

Check warning on line 74 in src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/resthandler/RestGetFindingsAction.java#L73-L74

Added lines #L73 - L74 were not covered by tests
}

Table table = new Table(
sortOrder,
Expand All @@ -53,7 +86,12 @@
GetFindingsRequest req = new GetFindingsRequest(
detectorId,
detectorType,
table
table,
severity,
detectionType,
findingIds,
startTime,
endTime
);

return channel -> client.execute(
Expand Down
Loading
Loading