Updating of bucket level monitors supported

Added integration tests for checking update of bucket level monitors Signed-off-by: Stevan Buzejic <stevan.buzejic@htecgroup.com>
opensearch-project · Nov 2, 2022 · 357aaa0 · 357aaa0
1 parent 8691155
commit 357aaa0
Show file tree

Hide file tree

Showing 7 changed files with 336 additions and 158 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/model/Rule.java b/src/main/java/org/opensearch/securityanalytics/model/Rule.java
@@ -452,7 +452,6 @@ public boolean isAggregationRule() {
         return aggregationQueries != null && !aggregationQueries.isEmpty();
     }
 
-    // TODO - temp method; Replace once you have some more inputs from Shubo and Surya
     public List<AggregationItem> getAggregationItemsFromRule () throws SigmaError {
         SigmaRule sigmaRule = SigmaRule.fromYaml(rule, true);
         List<AggregationItem> aggregationItems = new ArrayList<>();

diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/AggregationBuilders.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/AggregationBuilders.java
@@ -1,76 +1,29 @@
 package org.opensearch.securityanalytics.rules.backend;
 
 import org.opensearch.search.aggregations.AggregationBuilder;
-import org.opensearch.search.aggregations.bucket.histogram.AutoDateHistogramAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.histogram.DateHistogramAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.histogram.HistogramAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.histogram.VariableWidthHistogramAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.range.DateRangeAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.range.GeoDistanceAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.range.IpRangeAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.range.RangeAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.sampler.DiversifiedAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.terms.RareTermsAggregationBuilder;
-import org.opensearch.search.aggregations.bucket.terms.SignificantTermsAggregationBuilder;
 import org.opensearch.search.aggregations.bucket.terms.TermsAggregationBuilder;
 import org.opensearch.search.aggregations.metrics.AvgAggregationBuilder;
-import org.opensearch.search.aggregations.metrics.CardinalityAggregationBuilder;
-import org.opensearch.search.aggregations.metrics.ExtendedStatsAggregationBuilder;
-import org.opensearch.search.aggregations.metrics.GeoCentroidAggregationBuilder;
 import org.opensearch.search.aggregations.metrics.MaxAggregationBuilder;
 import org.opensearch.search.aggregations.metrics.MedianAbsoluteDeviationAggregationBuilder;
 import org.opensearch.search.aggregations.metrics.MinAggregationBuilder;
-import org.opensearch.search.aggregations.metrics.PercentileRanksAggregationBuilder;
-import org.opensearch.search.aggregations.metrics.PercentilesAggregationBuilder;
-import org.opensearch.search.aggregations.metrics.StatsAggregationBuilder;
 import org.opensearch.search.aggregations.metrics.SumAggregationBuilder;
 import org.opensearch.search.aggregations.metrics.ValueCountAggregationBuilder;
+
 public final class AggregationBuilders {
 
     /**
      * Finds the builder aggregation based on the forwarded function
      *
-     * @param aggregationFunction - aggregation function
-     * @param name - name of the aggregation
-     * @return
+     * @param aggregationFunction Aggregation function
+     * @param name                Name of the aggregation
+     * @return Aggregation builder
      */
-    public static AggregationBuilder getAggregationBuilderByFunction(String aggregationFunction, String name){
+    public static AggregationBuilder getAggregationBuilderByFunction(String aggregationFunction, String name) {
         AggregationBuilder aggregationBuilder;
-        switch (aggregationFunction){
-            case AutoDateHistogramAggregationBuilder.NAME:
-                aggregationBuilder = new AutoDateHistogramAggregationBuilder(name).field(name);
-                break;
+        switch (aggregationFunction.toLowerCase()) {
             case AvgAggregationBuilder.NAME:
                 aggregationBuilder = new AvgAggregationBuilder(name).field(name);
                 break;
-            case CardinalityAggregationBuilder.NAME:
-                aggregationBuilder = new CardinalityAggregationBuilder(name).field(name);
-                break;
-            case DateHistogramAggregationBuilder.NAME:
-                aggregationBuilder = new DateHistogramAggregationBuilder(name).field(name);
-                break;
-            case DateRangeAggregationBuilder.NAME:
-                aggregationBuilder = new DateRangeAggregationBuilder(name).field(name);
-                break;
-            case DiversifiedAggregationBuilder.NAME:
-                aggregationBuilder = new DiversifiedAggregationBuilder(name).field(name);
-                break;
-            case ExtendedStatsAggregationBuilder.NAME:
-                aggregationBuilder = new ExtendedStatsAggregationBuilder(name).field(name);
-                break;
-            case GeoCentroidAggregationBuilder.NAME:
-                aggregationBuilder = new GeoCentroidAggregationBuilder(name).field(name);
-                break;
-                // TODO ?
-            case GeoDistanceAggregationBuilder.NAME:
-                aggregationBuilder = new GeoDistanceAggregationBuilder(name, null).field(name);
-                break;
-            case HistogramAggregationBuilder.NAME:
-                aggregationBuilder = new HistogramAggregationBuilder(name).field(name);
-                break;
-            case IpRangeAggregationBuilder.NAME:
-                aggregationBuilder = new IpRangeAggregationBuilder(name).field(name);
-                break;
             case MaxAggregationBuilder.NAME:
                 aggregationBuilder = new MaxAggregationBuilder(name).field(name);
                 break;
@@ -80,38 +33,17 @@ public static AggregationBuilder getAggregationBuilderByFunction(String aggregat
             case MinAggregationBuilder.NAME:
                 aggregationBuilder = new MinAggregationBuilder(name).field(name);
                 break;
-                // TODO - do we need this?
-            case PercentileRanksAggregationBuilder.NAME:
-                aggregationBuilder = new PercentileRanksAggregationBuilder(name, null).field(name);
-                break;
-            case PercentilesAggregationBuilder.NAME:
-                aggregationBuilder = new PercentilesAggregationBuilder(name).field(name);
-                break;
-            case RangeAggregationBuilder.NAME:
-                aggregationBuilder = new RangeAggregationBuilder(name).field(name);
-                break;
-            case RareTermsAggregationBuilder.NAME:
-                aggregationBuilder = new RareTermsAggregationBuilder(name).field(name);
-                break;
-            case SignificantTermsAggregationBuilder.NAME:
-                aggregationBuilder = new SignificantTermsAggregationBuilder(name).field(name);
-                break;
-            case StatsAggregationBuilder.NAME:
-                aggregationBuilder = new StatsAggregationBuilder(name).field(name);
-                break;
             case SumAggregationBuilder.NAME:
                 aggregationBuilder = new SumAggregationBuilder(name).field(name);
                 break;
             case TermsAggregationBuilder.NAME:
                 aggregationBuilder = new TermsAggregationBuilder(name).field(name);
                 break;
-            case ValueCountAggregationBuilder.NAME:
+            case "count":
                 aggregationBuilder = new ValueCountAggregationBuilder(name).field(name);
                 break;
-            case VariableWidthHistogramAggregationBuilder.NAME:
-                aggregationBuilder = new VariableWidthHistogramAggregationBuilder(name).field(name);
-                break;
-            default: return null;
+            default:
+                return null;
         }
         return aggregationBuilder;
     }

diff --git a/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java b/src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
@@ -389,8 +389,11 @@ public AggregationQueries convertAggregation(AggregationItem aggregation) {
             fmtAggQuery = String.format(Locale.getDefault(), aggQuery, "result_agg", aggregation.getGroupByField(), aggregation.getAggField(), aggregation.getAggFunction(), aggregation.getAggField());
             fmtBucketTriggerQuery = String.format(Locale.getDefault(), bucketTriggerQuery, aggregation.getAggField(), aggregation.getAggField(), "result_agg", aggregation.getAggField(), aggregation.getCompOperator(), aggregation.getThreshold());
 
+            // Add subaggregation
             AggregationBuilder subAgg = AggregationBuilders.getAggregationBuilderByFunction(aggregation.getAggFunction(), aggregation.getAggField());
-            aggBuilder.field(aggregation.getGroupByField()).subAggregation(subAgg);
+            if (subAgg != null) {
+                aggBuilder.field(aggregation.getGroupByField()).subAggregation(subAgg);
+            }
 
             Script script = new Script(String.format(Locale.getDefault(), bucketTriggerScript, aggregation.getAggField(), aggregation.getCompOperator(), aggregation.getThreshold()));
             condition = new BucketSelectorExtAggregationBuilder(bucketTriggerSelectorId, Collections.singletonMap(aggregation.getAggField(), aggregation.getAggField()), script, "result_agg", null);