Add associated_assets field to Events (#19740)

* Add optional associated_assets to Events

* Add scores and associated_assets fields to events mapping test

graylog2-server/src/main/java/org/graylog/events/event/Event.java

@@ -25,6 +25,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.OptionalDouble;
+import java.util.Set;
 
 public interface Event extends Indexable {
     @Override
@@ -106,6 +107,8 @@ public interface Event extends Indexable {
 
     void setScore(String name, double riskScore);
 
+    void addAssociatedAssets(Set<String> associatedAssets);
+
     EventDto toDto();
 
     static Event fromDto(EventDto from) {

graylog2-server/src/main/java/org/graylog/events/event/EventDto.java

@@ -51,6 +51,7 @@ public abstract class EventDto {
     public static final String FIELD_KEY = "key";
     public static final String FIELD_PRIORITY = "priority";
     public static final String FIELD_SCORES = "scores";
+    public static final String FIELD_ASSOCIATED_ASSETS = "associated_assets";
     public static final String FIELD_FIELDS = "fields";
     private static final String FIELD_GROUP_BY_FIELDS = "group_by_fields";
     public static final String FIELD_REPLAY_INFO = "replay_info";
@@ -104,6 +105,9 @@ public abstract class EventDto {
     @JsonProperty(FIELD_SCORES)
     public abstract Map<String, Double> scores();
 
+    @JsonProperty(FIELD_ASSOCIATED_ASSETS)
+    public abstract Set<String> associatedAssets();
+
     @JsonProperty(FIELD_ALERT)
     public abstract boolean alert();
 
@@ -131,7 +135,8 @@ public static Builder create() {
             return new AutoValue_EventDto.Builder()
                     .sourceStreams(ImmutableSet.of())
                     .groupByFields(ImmutableMap.of())
-                    .scores(ImmutableMap.of());
+                    .scores(ImmutableMap.of())
+                    .associatedAssets(ImmutableSet.of());
         }
 
         @JsonProperty(FIELD_ID)
@@ -186,6 +191,9 @@ public static Builder create() {
         @JsonProperty(FIELD_SCORES)
         public abstract Builder scores(Map<String, Double> scores);
 
+        @JsonProperty(FIELD_ASSOCIATED_ASSETS)
+        public abstract Builder associatedAssets(Set<String> associatedAssets);
+
         @JsonProperty(FIELD_ALERT)
         public abstract Builder alert(boolean alert);
 

graylog2-server/src/main/java/org/graylog/events/event/EventImpl.java

@@ -29,10 +29,12 @@
 
 import javax.annotation.Nonnull;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.OptionalDouble;
+import java.util.Set;
 import java.util.stream.Collectors;
 
 import static com.google.common.base.Strings.isNullOrEmpty;
@@ -60,6 +62,7 @@ public class EventImpl implements Event {
     private Map<String, FieldValue> fields = new HashMap<>();
     private Map<String, FieldValue> groupByFields = new HashMap<>();
     private final Map<String, Double> scores = new HashMap<>();
+    private final Set<String> associatedAssets = new HashSet<>();
     private EventReplayInfo replayInfo;
 
     EventImpl(String eventId,
@@ -255,6 +258,11 @@ public void setScore(String name, double riskScore) {
         this.scores.put(name, riskScore);
     }
 
+    @Override
+    public void addAssociatedAssets(Set<String> associatedAssets) {
+        this.associatedAssets.addAll(associatedAssets);
+    }
+
     @Override
     public boolean getAlert() {
         return alert;
@@ -334,6 +342,7 @@ public EventDto toDto() {
                 .key(String.join("|", getKeyTuple()))
                 .priority(getPriority())
                 .scores(ImmutableMap.copyOf(scores))
+                .associatedAssets(ImmutableSet.copyOf(associatedAssets))
                 .alert(getAlert())
                 .fields(ImmutableMap.copyOf(fields))
                 .groupByFields(ImmutableMap.copyOf(groupByFields))
@@ -391,6 +400,7 @@ public boolean equals(Object o) {
                 Objects.equals(fields, event.fields) &&
                 Objects.equals(groupByFields, event.groupByFields) &&
                 Objects.equals(scores, event.scores) &&
+                Objects.equals(associatedAssets, event.associatedAssets) &&
                 Objects.equals(replayInfo, event.replayInfo);
     }
 
@@ -423,6 +433,7 @@ public String toString() {
                 .add("groupByFields", groupByFields)
                 .add("replayInfo", replayInfo)
                 .add("scores", scores)
+                .add("associatedAssets", associatedAssets)
                 .toString();
     }
 

graylog2-server/src/main/java/org/graylog2/indexer/EventsIndexMapping.java

@@ -23,6 +23,8 @@
 
 import java.util.Map;
 
+import static org.graylog.schema.SecurityFields.FIELD_ASSOCIATED_ASSETS;
+
 public abstract class EventsIndexMapping implements IndexMappingTemplate {
     @Override
     public Template toTemplate(IndexSetMappingTemplate indexSetConfig, Long order) {
@@ -198,6 +200,9 @@ protected ImmutableMap<String, Object> fieldProperties() {
                         .put("type", "object")
                         .put("dynamic", true)
                         .build())
+                .put(FIELD_ASSOCIATED_ASSETS, map()
+                        .put("type", "keyword")
+                        .build())
                 /* TODO: Enable the typed fields once we decided if that's the way to go
                 .put("fields_typed", map()
                         .put("type", "object")

graylog2-server/src/test/java/org/graylog2/indexer/EventsIndexMappingTest.java

@@ -108,5 +108,7 @@ private void assertStandardMappingValues(JsonPathAssert at) {
         at.jsonPathAsString("$.properties.fields.type").isEqualTo("object");
         at.jsonPathAsBoolean("$.properties.fields.dynamic").isTrue();
         at.jsonPathAsString("$.properties.triggered_jobs.type").isEqualTo("keyword");
+        at.jsonPathAsString("$.properties.associated_assets.type").isEqualTo("keyword");
+        at.jsonPathAsString("$.properties.scores.type").isEqualTo("object");
     }
 }