Skip to content

Commit

Permalink
APIs added for Alerts in Correlations
Browse files Browse the repository at this point in the history
Signed-off-by: Riya Saxena <[email protected]>
  • Loading branch information
riysaxen-amzn committed Jun 10, 2024
1 parent 42f2b46 commit 462604d
Showing 13 changed files with 504 additions and 145 deletions.
Original file line number Diff line number Diff line change
@@ -218,7 +218,8 @@ public List<RestHandler> getRestHandlers(Settings settings,
new RestIndexCustomLogTypeAction(),
new RestSearchCustomLogTypeAction(),
new RestDeleteCustomLogTypeAction(),
new RestGetCorrelationsAlertsAction()
new RestGetCorrelationsAlertsAction(),
new RestAcknowledgeCorrelationAlertsAction()
);
}

@@ -340,7 +341,8 @@ public List<Setting<?>> getSettings() {
new ActionHandler<>(SearchCustomLogTypeAction.INSTANCE, TransportSearchCustomLogTypeAction.class),
new ActionHandler<>(DeleteCustomLogTypeAction.INSTANCE, TransportDeleteCustomLogTypeAction.class),
new ActionHandler<>(PutTIFJobAction.INSTANCE, TransportPutTIFJobAction.class),
new ActionPlugin.ActionHandler<>(GetCorrelationAlertsAction.INSTANCE, TransportGetCorrelationAlertsAction.class)
new ActionPlugin.ActionHandler<>(GetCorrelationAlertsAction.INSTANCE, TransportGetCorrelationAlertsAction.class),
new ActionPlugin.ActionHandler<>(CorrelationAckAlertsAction.INSTANCE, TransportAckCorrelationAlertsAction.class)
);
}

Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*/
package org.opensearch.securityanalytics.action;

import org.opensearch.action.ActionType;

/**
* Acknowledge Alert Action
*/
public class CorrelationAckAlertsAction extends ActionType<CorrelationAckAlertsResponse> {
public static final String NAME = "cluster:admin/opensearch/securityanalytics/correlationAlerts/ack";
public static final CorrelationAckAlertsAction INSTANCE = new CorrelationAckAlertsAction();

public CorrelationAckAlertsAction() {
super(NAME, CorrelationAckAlertsResponse::new);
}
}

Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
package org.opensearch.securityanalytics.action;

import org.opensearch.action.ActionRequest;
import org.opensearch.action.ActionRequestValidationException;
import org.opensearch.action.ValidateActions;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.core.xcontent.XContentBuilder;

import java.io.IOException;
import java.util.Collections;
import java.util.List;

public class CorrelationAckAlertsRequest extends ActionRequest {
private final List<String> correlationAlertIds;

public CorrelationAckAlertsRequest(List<String> correlationAlertIds) {
this.correlationAlertIds = correlationAlertIds;
}

public CorrelationAckAlertsRequest(StreamInput in) throws IOException {
correlationAlertIds = Collections.unmodifiableList(in.readStringList());
}

@Override
public ActionRequestValidationException validate() {
ActionRequestValidationException validationException = null;
if(correlationAlertIds == null || correlationAlertIds.isEmpty()) {
validationException = ValidateActions.addValidationError("alert ids list cannot be empty", validationException);
}
return validationException;
}

public void writeTo(StreamOutput out) throws IOException {
out.writeStringCollection(this.correlationAlertIds);
}

public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
return builder.startObject()
.field("correlation_alert_ids", correlationAlertIds)
.endObject();
}

public static AckAlertsRequest readFrom(StreamInput sin) throws IOException {
return new AckAlertsRequest(sin);
}

public List<String> getCorrelationAlertIds() {
return correlationAlertIds;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
package org.opensearch.securityanalytics.action;

import org.opensearch.commons.alerting.model.CorrelationAlert;
import org.opensearch.core.action.ActionResponse;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.core.xcontent.ToXContentObject;
import org.opensearch.core.xcontent.XContentBuilder;

import java.io.IOException;
import java.util.Collections;
import java.util.List;

public class CorrelationAckAlertsResponse extends ActionResponse implements ToXContentObject {

private final List<CorrelationAlert> acknowledged;
private final List<CorrelationAlert> failed;

public CorrelationAckAlertsResponse(List<CorrelationAlert> acknowledged, List<CorrelationAlert> failed) {
this.acknowledged = acknowledged;
this.failed = failed;
}

public CorrelationAckAlertsResponse(StreamInput sin) throws IOException {
this(
Collections.unmodifiableList(sin.readList(CorrelationAlert::new)),
Collections.unmodifiableList(sin.readList(CorrelationAlert::new))
);
}

@Override
public void writeTo(StreamOutput streamOutput) throws IOException {
streamOutput.writeList(this.acknowledged);
streamOutput.writeList(this.failed);
}

@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
builder.startObject()
.field("acknowledged",this.acknowledged)
.field("failed",this.failed);
return builder.endObject();
}

public List<CorrelationAlert> getAcknowledged() {
return acknowledged;
}

public List<CorrelationAlert> getFailed() {
return failed;
}
}
Original file line number Diff line number Diff line change
@@ -58,9 +58,9 @@ public GetCorrelationAlertsRequest(StreamInput sin) throws IOException {
@Override
public ActionRequestValidationException validate() {
ActionRequestValidationException validationException = null;
if ((correlationRuleId == null || correlationRuleId.length() == 0)) {
if ((correlationRuleId != null && correlationRuleId.isEmpty())) {
validationException = addValidationError(String.format(Locale.getDefault(),
"At least one of correlation rule id needs to be passed", CORRELATION_RULE_ID),
"Correlation ruleId is empty or not valid", CORRELATION_RULE_ID),
validationException);
}
return validationException;
Original file line number Diff line number Diff line change
@@ -1,18 +1,20 @@
package org.opensearch.securityanalytics.action;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.commons.alerting.model.CorrelationAlert;
import org.opensearch.core.action.ActionResponse;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.core.xcontent.ToXContentObject;
import org.opensearch.core.xcontent.XContentBuilder;

import java.io.IOException;
import java.util.Collections;
import java.util.List;

public class GetCorrelationAlertsResponse extends ActionResponse implements ToXContentObject {

private static final Logger log = LogManager.getLogger(GetCorrelationAlertsResponse.class);
private static final String CORRELATION_ALERTS_FIELD = "correlationAlerts";
private static final String TOTAL_ALERTS_FIELD = "total_alerts";

@@ -41,16 +43,8 @@ public void writeTo(StreamOutput out) throws IOException {
@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
builder.startObject()
.field(CORRELATION_ALERTS_FIELD, alerts)
.field(TOTAL_ALERTS_FIELD, totalAlerts);
.field(CORRELATION_ALERTS_FIELD, this.alerts)
.field(TOTAL_ALERTS_FIELD, this.totalAlerts);
return builder.endObject();
}

public List<CorrelationAlert> getAlerts() {
return this.alerts;
}

public Integer getTotalAlerts() {
return this.totalAlerts;
}
}
Original file line number Diff line number Diff line change
@@ -560,7 +560,6 @@ private void getCorrelatedFindings(String detectorType, Map<String, List<String>
if (!correlatedFindings.isEmpty()) {
CorrelationRuleScheduler correlationRuleScheduler = new CorrelationRuleScheduler(client, correlationAlertService, notificationService);
correlationRuleScheduler.schedule(correlationRules, correlatedFindings, request.getFinding().getId(), indexTimeout, user);
correlationRuleScheduler.shutdown();
}

for (Map.Entry<String, List<String>> autoCorrelation: autoCorrelations.entrySet()) {
Loading

0 comments on commit 462604d

Please sign in to comment.