Skip to content

Commit

Permalink
populate queries field in FindingDTO in case of bucket level monitor …
Browse files Browse the repository at this point in the history 
…findings (#148) (#151)

Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>

Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>
(cherry picked from commit 2e44ff4)

Co-authored-by: Surya Sashank Nistala <snistala@amazon.com>
  • Loading branch information
@opensearch-trigger-bot @eirsep
opensearch-trigger-bot[bot] and eirsep committed Nov 11, 2022
1 parent 134539e commit a8249c8
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 15 deletions.
26 changes: 18 additions & 8 deletions src/main/java/org/opensearch/securityanalytics/findings/FindingsService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
package org.opensearch.securityanalytics.findings;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
Expand All @@ -16,6 +17,7 @@
import org.opensearch.client.Client;
import org.opensearch.client.node.NodeClient;
import org.opensearch.commons.alerting.AlertingPluginInterface;
import org.opensearch.commons.alerting.model.DocLevelQuery;
import org.opensearch.commons.alerting.model.FindingWithDocs;
import org.opensearch.commons.alerting.model.Table;
import org.opensearch.rest.RestStatus;
Expand Down Expand Up @@ -83,9 +85,9 @@ public void onFailure(Exception e) {
};

// monitor --> detectorId mapping
Map<String, String> monitorToDetectorMapping = new HashMap<>();
Map<String, Detector> monitorToDetectorMapping = new HashMap<>();
detector.getMonitorIds().forEach(
monitorId -> monitorToDetectorMapping.put(monitorId, detector.getId())
monitorId -> monitorToDetectorMapping.put(monitorId, detector)
);
// Get findings for all monitor ids
FindingsService.this.getFindingsByMonitorIds(
Expand All @@ -112,7 +114,7 @@ public void onFailure(Exception e) {
* @param listener ActionListener to get notified on response or error
*/
public void getFindingsByMonitorIds(
Map<String, String> monitorToDetectorMapping,
Map<String, Detector> monitorToDetectorMapping,
List<String> monitorIds,
String findingIndexName,
Table table,
Expand Down Expand Up @@ -169,11 +171,11 @@ public void getFindings(

List<String> allMonitorIds = new ArrayList<>();
// Used to convert monitorId back to detectorId to store in result FindingDto
Map<String, String> monitorToDetectorMapping = new HashMap<>();
Map<String, Detector> monitorToDetectorMapping = new HashMap<>();
detectors.forEach(detector -> {
// monitor --> detector map
detector.getMonitorIds().forEach(
monitorId -> monitorToDetectorMapping.put(monitorId, detector.getId())
monitorId -> monitorToDetectorMapping.put(monitorId, detector)
);
// all monitorIds
allMonitorIds.addAll(detector.getMonitorIds());
Expand Down Expand Up @@ -201,13 +203,21 @@ public void onFailure(Exception e) {
);
}

public FindingDto mapFindingWithDocsToFindingDto(FindingWithDocs findingWithDocs, String detectorId) {
public FindingDto mapFindingWithDocsToFindingDto(FindingWithDocs findingWithDocs, Detector detector) {
List<DocLevelQuery> docLevelQueries = findingWithDocs.getFinding().getDocLevelQueries();
if (docLevelQueries.isEmpty()) { // this is finding generated by a bucket level monitor
for (Map.Entry<String, String> entry : detector.getRuleIdMonitorIdMap().entrySet()) {
if(entry.getValue().equals(findingWithDocs.getFinding().getMonitorId())) {
docLevelQueries = Collections.singletonList(new DocLevelQuery(entry.getKey(),"","",Collections.emptyList()));
}
}
}
return new FindingDto(
detectorId,
detector.getId(),
findingWithDocs.getFinding().getId(),
findingWithDocs.getFinding().getRelatedDocIds(),
findingWithDocs.getFinding().getIndex(),
findingWithDocs.getFinding().getDocLevelQueries(),
docLevelQueries,
findingWithDocs.getFinding().getTimestamp(),
findingWithDocs.getDocuments()
);
Expand Down
23 changes: 16 additions & 7 deletions src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,9 +309,9 @@ public void testCreatingADetectorWithAggregationRules() throws IOException {

Map<String, Object> responseBody = asMap(createResponse);

String createdRuleId = responseBody.get("_id").toString();
String detectorId = responseBody.get("_id").toString();

DetectorInput input = new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(createdRuleId)),
DetectorInput input = new DetectorInput("windows detector for security analytics", List.of("windows"), List.of(new DetectorRule(detectorId)),
getRandomPrePackagedRules().stream().map(DetectorRule::new).collect(Collectors.toList()));
Detector detector = randomDetectorWithInputs(List.of(input));

Expand All @@ -320,19 +320,19 @@ public void testCreatingADetectorWithAggregationRules() throws IOException {

responseBody = asMap(createResponse);

createdRuleId = responseBody.get("_id").toString();
detectorId = responseBody.get("_id").toString();
int createdVersion = Integer.parseInt(responseBody.get("_version").toString());
Assert.assertNotEquals("response is missing Id", Detector.NO_ID, createdRuleId);
Assert.assertNotEquals("response is missing Id", Detector.NO_ID, detectorId);
Assert.assertTrue("incorrect version", createdVersion > 0);
Assert.assertEquals("Incorrect Location header", String.format(Locale.getDefault(), "%s/%s", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, createdRuleId), createResponse.getHeader("Location"));
Assert.assertEquals("Incorrect Location header", String.format(Locale.getDefault(), "%s/%s", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, detectorId), createResponse.getHeader("Location"));
Assert.assertFalse(((Map<String, Object>) responseBody.get("detector")).containsKey("rule_topic_index"));
Assert.assertFalse(((Map<String, Object>) responseBody.get("detector")).containsKey("findings_index"));
Assert.assertFalse(((Map<String, Object>) responseBody.get("detector")).containsKey("alert_index"));

String request = "{\n" +
" \"query\" : {\n" +
" \"match\":{\n" +
" \"_id\": \"" + createdRuleId + "\"\n" +
" \"_id\": \"" + detectorId + "\"\n" +
" }\n" +
" }\n" +
"}";
Expand Down Expand Up @@ -370,11 +370,20 @@ public void testCreatingADetectorWithAggregationRules() throws IOException {
Map<String, Object> executeResults = entityAsMap(executeResponse);
// verify bucket level monitor findings
Map<String, String> params = new HashMap<>();
params.put("detector_id", createdRuleId);
params.put("detector_id", detectorId);
Response getFindingsResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.FINDINGS_BASE_URI + "/_search", params, null);
Map<String, Object> getFindingsBody = entityAsMap(getFindingsResponse);
assertNotNull(getFindingsBody);
Assert.assertEquals(1, getFindingsBody.get("total_findings"));
List<?> findings = (List<?>) getFindingsBody.get("findings");
Assert.assertEquals(findings.size(), 1);
HashMap<String, Object> finding = (HashMap<String, Object>) findings.get(0);
Assert.assertTrue(finding.containsKey("queries"));
HashMap<String, Object> docLevelQuery = (HashMap<String, Object>) ((List<?>) finding.get("queries")).get(0);
String ruleId = docLevelQuery.get("id").toString();
Response getResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.DETECTOR_BASE_URI + "/" + detectorId, Collections.emptyMap(), null);
String getDetectorResponseString = new String(getResponse.getEntity().getContent().readAllBytes());
Assert.assertTrue(getDetectorResponseString.contains(ruleId));
}
public void testUpdateADetector() throws IOException {
String index = createTestIndex(randomIndex(), windowsIndexMapping());
Expand Down

0 comments on commit a8249c8

Please sign in to comment.