APIs added for Alerts in Correlations

Signed-off-by: Riya Saxena <[email protected]>

src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java

@@ -218,7 +218,8 @@ public List<RestHandler> getRestHandlers(Settings settings,
                 new RestIndexCustomLogTypeAction(),
                 new RestSearchCustomLogTypeAction(),
                 new RestDeleteCustomLogTypeAction(),
-                new RestGetCorrelationsAlertsAction()
+                new RestGetCorrelationsAlertsAction(),
+                new RestAcknowledgeCorrelationAlertsAction()
         );
     }
 
@@ -340,7 +341,8 @@ public List<Setting<?>> getSettings() {
                 new ActionHandler<>(SearchCustomLogTypeAction.INSTANCE, TransportSearchCustomLogTypeAction.class),
                 new ActionHandler<>(DeleteCustomLogTypeAction.INSTANCE, TransportDeleteCustomLogTypeAction.class),
                 new ActionHandler<>(PutTIFJobAction.INSTANCE, TransportPutTIFJobAction.class),
-                new ActionPlugin.ActionHandler<>(GetCorrelationAlertsAction.INSTANCE, TransportGetCorrelationAlertsAction.class)
+                new ActionPlugin.ActionHandler<>(GetCorrelationAlertsAction.INSTANCE, TransportGetCorrelationAlertsAction.class),
+                new ActionPlugin.ActionHandler<>(CorrelationAckAlertsAction.INSTANCE, TransportAckCorrelationAlertsAction.class)
         );
     }
 

src/main/java/org/opensearch/securityanalytics/action/CorrelationAckAlertsAction.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.securityanalytics.action;
+
+import org.opensearch.action.ActionType;
+
+/**
+ * Acknowledge Alert Action
+ */
+public class CorrelationAckAlertsAction extends ActionType<CorrelationAckAlertsResponse> {
+    public static final String NAME = "cluster:admin/opensearch/securityanalytics/correlationAlerts/ack";
+    public static final CorrelationAckAlertsAction INSTANCE = new CorrelationAckAlertsAction();
+
+    public CorrelationAckAlertsAction() {
+        super(NAME, CorrelationAckAlertsResponse::new);
+    }
+}
+

src/main/java/org/opensearch/securityanalytics/action/CorrelationAckAlertsRequest.java

@@ -0,0 +1,52 @@
+package org.opensearch.securityanalytics.action;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.action.ValidateActions;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+public class CorrelationAckAlertsRequest extends ActionRequest {
+    private final List<String> correlationAlertIds;
+
+    public CorrelationAckAlertsRequest(List<String> correlationAlertIds) {
+        this.correlationAlertIds = correlationAlertIds;
+    }
+
+    public CorrelationAckAlertsRequest(StreamInput in) throws IOException {
+        correlationAlertIds = Collections.unmodifiableList(in.readStringList());
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if(correlationAlertIds == null || correlationAlertIds.isEmpty()) {
+            validationException = ValidateActions.addValidationError("alert ids list cannot be empty", validationException);
+        }
+        return validationException;
+    }
+
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeStringCollection(this.correlationAlertIds);
+    }
+
+    public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
+        return builder.startObject()
+                .field("correlation_alert_ids", correlationAlertIds)
+                .endObject();
+    }
+
+    public static AckAlertsRequest readFrom(StreamInput sin) throws IOException {
+        return new AckAlertsRequest(sin);
+    }
+
+    public List<String> getCorrelationAlertIds() {
+        return correlationAlertIds;
+    }
+}

src/main/java/org/opensearch/securityanalytics/action/CorrelationAckAlertsResponse.java

@@ -0,0 +1,52 @@
+package org.opensearch.securityanalytics.action;
+
+import org.opensearch.commons.alerting.model.CorrelationAlert;
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+public class CorrelationAckAlertsResponse  extends ActionResponse implements ToXContentObject {
+
+    private final List<CorrelationAlert> acknowledged;
+    private final List<CorrelationAlert> failed;
+
+    public CorrelationAckAlertsResponse(List<CorrelationAlert> acknowledged, List<CorrelationAlert> failed) {
+        this.acknowledged = acknowledged;
+        this.failed = failed;
+    }
+
+    public CorrelationAckAlertsResponse(StreamInput sin) throws IOException {
+        this(
+                Collections.unmodifiableList(sin.readList(CorrelationAlert::new)),
+                Collections.unmodifiableList(sin.readList(CorrelationAlert::new))
+        );
+    }
+
+    @Override
+    public void writeTo(StreamOutput streamOutput) throws IOException {
+        streamOutput.writeList(this.acknowledged);
+        streamOutput.writeList(this.failed);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject()
+                .field("acknowledged",this.acknowledged)
+                .field("failed",this.failed);
+        return builder.endObject();
+    }
+
+    public List<CorrelationAlert> getAcknowledged() {
+        return acknowledged;
+    }
+
+    public List<CorrelationAlert> getFailed() {
+        return failed;
+    }
+}

src/main/java/org/opensearch/securityanalytics/action/GetCorrelationAlertsRequest.java

@@ -58,9 +58,9 @@ public GetCorrelationAlertsRequest(StreamInput sin) throws IOException {
     @Override
     public ActionRequestValidationException validate() {
         ActionRequestValidationException validationException = null;
-        if ((correlationRuleId == null || correlationRuleId.length() == 0)) {
+        if ((correlationRuleId != null && correlationRuleId.isEmpty())) {
             validationException = addValidationError(String.format(Locale.getDefault(),
-                            "At least one of correlation rule id needs to be passed", CORRELATION_RULE_ID),
+                            "Correlation ruleId is empty or not valid", CORRELATION_RULE_ID),
                     validationException);
         }
         return validationException;

src/main/java/org/opensearch/securityanalytics/action/GetCorrelationAlertsResponse.java

@@ -1,18 +1,20 @@
 package org.opensearch.securityanalytics.action;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.opensearch.commons.alerting.model.CorrelationAlert;
 import org.opensearch.core.action.ActionResponse;
 import org.opensearch.core.common.io.stream.StreamInput;
 import org.opensearch.core.common.io.stream.StreamOutput;
 import org.opensearch.core.xcontent.ToXContentObject;
 import org.opensearch.core.xcontent.XContentBuilder;
-
 import java.io.IOException;
 import java.util.Collections;
 import java.util.List;
 
 public class GetCorrelationAlertsResponse  extends ActionResponse implements ToXContentObject {
 
+    private static final Logger log = LogManager.getLogger(GetCorrelationAlertsResponse.class);
     private static final String CORRELATION_ALERTS_FIELD = "correlationAlerts";
     private static final String TOTAL_ALERTS_FIELD = "total_alerts";
 
@@ -41,16 +43,8 @@ public void writeTo(StreamOutput out) throws IOException {
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
         builder.startObject()
-                .field(CORRELATION_ALERTS_FIELD, alerts)
-                .field(TOTAL_ALERTS_FIELD, totalAlerts);
+                .field(CORRELATION_ALERTS_FIELD, this.alerts)
+                .field(TOTAL_ALERTS_FIELD, this.totalAlerts);
         return builder.endObject();
     }
-
-    public List<CorrelationAlert> getAlerts() {
-        return this.alerts;
-    }
-
-    public Integer getTotalAlerts() {
-        return this.totalAlerts;
-    }
 }

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

@@ -560,7 +560,6 @@ private void getCorrelatedFindings(String detectorType, Map<String, List<String>
                 if (!correlatedFindings.isEmpty()) {
                      CorrelationRuleScheduler correlationRuleScheduler = new CorrelationRuleScheduler(client, correlationAlertService, notificationService);
                      correlationRuleScheduler.schedule(correlationRules, correlatedFindings, request.getFinding().getId(), indexTimeout, user);
-                     correlationRuleScheduler.shutdown();
                 }
 
                 for (Map.Entry<String, List<String>> autoCorrelation: autoCorrelations.entrySet()) {