-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
correlation alerts #877
base: main
Are you sure you want to change the base?
correlation alerts #877
Changes from all commits
ed18bcf
3f7351c
5e84c4a
098b081
fafdcad
e376bb2
ccfa003
b414c45
ecfe169
40a9bec
1848d8c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
package org.opensearch.securityanalytics.correlation.alert; | ||
|
||
import org.apache.logging.log4j.LogManager; | ||
import org.apache.logging.log4j.Logger; | ||
import org.opensearch.action.search.SearchRequest; | ||
import org.opensearch.action.search.SearchResponse; | ||
import org.opensearch.client.Client; | ||
import org.opensearch.cluster.ClusterState; | ||
import org.opensearch.cluster.service.ClusterService; | ||
import org.opensearch.common.xcontent.LoggingDeprecationHandler; | ||
import org.opensearch.common.xcontent.XContentType; | ||
import org.opensearch.commons.alerting.model.Table; | ||
import org.opensearch.core.action.ActionListener; | ||
import org.opensearch.core.xcontent.NamedXContentRegistry; | ||
import org.opensearch.core.xcontent.XContentParser; | ||
import org.opensearch.index.query.BoolQueryBuilder; | ||
import org.opensearch.index.query.QueryBuilders; | ||
import org.opensearch.search.SearchHit; | ||
import org.opensearch.search.builder.SearchSourceBuilder; | ||
import org.opensearch.search.sort.FieldSortBuilder; | ||
import org.opensearch.search.sort.SortBuilders; | ||
import org.opensearch.search.sort.SortOrder; | ||
import org.opensearch.securityanalytics.model.CorrelationAlert; | ||
|
||
import java.io.IOException; | ||
import java.util.ArrayList; | ||
import java.util.Collections; | ||
import java.util.List; | ||
import java.util.Objects; | ||
|
||
public class CorrelationAlertService { | ||
public static final String CORRELATION_ALERT_INDEX = ".opensearch-sap-correlations-alerts"; | ||
private static final Logger log = LogManager.getLogger(CorrelationAlertService.class); | ||
Check warning on line 37 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L37
|
||
private final Client client; | ||
private final ClusterService clusterService; | ||
private final NamedXContentRegistry xContentRegistry; | ||
|
||
public CorrelationAlertService(Client client, ClusterService clusterService, NamedXContentRegistry xContentRegistry) { | ||
this.client = client; | ||
this.clusterService = clusterService; | ||
this.xContentRegistry = xContentRegistry; | ||
} | ||
Check warning on line 46 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L42-L46
|
||
|
||
public void getCorrelationAlerts(ActionListener<CorrelationAlertsList> listener, | ||
Table table, | ||
String severityLevel, | ||
String alertState) { | ||
try { | ||
if (false == correlationAlertsIndexExists()) { | ||
listener.onResponse(new CorrelationAlertsList(Collections.emptyList(), 0)); | ||
Check warning on line 54 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L54
|
||
} else { | ||
FieldSortBuilder sortBuilder = SortBuilders | ||
.fieldSort(table.getSortString()) | ||
.order(SortOrder.fromString(table.getSortOrder())); | ||
Check warning on line 58 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L56-L58
|
||
if (null != table.getMissing() && false == table.getMissing().isEmpty()) { | ||
sortBuilder.missing(table.getMissing()); | ||
Check warning on line 60 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L60
|
||
} | ||
BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery(); | ||
Check warning on line 62 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L62
|
||
|
||
if (false == Objects.equals(severityLevel, "ALL")) { | ||
queryBuilder.filter(QueryBuilders.termQuery("severity", severityLevel)); | ||
Check warning on line 65 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L65
|
||
} | ||
if (false == Objects.equals(alertState, "ALL")) { | ||
queryBuilder.filter(QueryBuilders.termQuery("state", alertState)); | ||
Check warning on line 68 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L68
|
||
} | ||
SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder() | ||
.version(true) | ||
.seqNoAndPrimaryTerm(true) | ||
.query(queryBuilder) | ||
.sort(sortBuilder) | ||
.size(table.getSize()) | ||
.from(table.getStartIndex()); | ||
Check warning on line 76 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L70-L76
|
||
|
||
SearchRequest searchRequest = new SearchRequest(CORRELATION_ALERT_INDEX).source(searchSourceBuilder); | ||
client.search(searchRequest, ActionListener.wrap( | ||
Check warning on line 79 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L78-L79
|
||
searchResponse -> { | ||
if (0 == searchResponse.getHits().getHits().length) { | ||
listener.onResponse(new CorrelationAlertsList(Collections.emptyList(), 0)); | ||
Check warning on line 82 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L82
|
||
} else { | ||
listener.onResponse( | ||
Check warning on line 84 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L84
|
||
new CorrelationAlertsList( | ||
parseCorrelationAlerts(searchResponse), | ||
Check warning on line 86 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L86
|
||
searchResponse.getHits() != null && searchResponse.getHits().getTotalHits() != null ? | ||
(int) searchResponse.getHits().getTotalHits().value : 0) | ||
Check warning on line 88 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L88
|
||
); | ||
} | ||
}, | ||
Check warning on line 91 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L91
|
||
e -> { | ||
log.error("Search request to fetch correlation alerts failed", e); | ||
listener.onFailure(e); | ||
} | ||
Check warning on line 95 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L93-L95
|
||
)); | ||
} | ||
} catch (Exception e) { | ||
log.error("Unexpected error when fetch correlation alerts", e); | ||
listener.onFailure(e); | ||
} | ||
} | ||
Check warning on line 102 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L98-L102
|
||
|
||
public boolean correlationAlertsIndexExists() { | ||
ClusterState clusterState = clusterService.state(); | ||
return clusterState.getRoutingTable().hasIndex(CORRELATION_ALERT_INDEX); | ||
Check warning on line 106 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L105-L106
|
||
} | ||
|
||
public List<CorrelationAlert> parseCorrelationAlerts(final SearchResponse response) throws IOException { | ||
List<CorrelationAlert> alerts = new ArrayList<>(); | ||
Check warning on line 110 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L110
|
||
for (SearchHit hit : response.getHits()) { | ||
XContentParser xcp = XContentType.JSON.xContent().createParser( | ||
Check warning on line 112 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L112
|
||
xContentRegistry, | ||
LoggingDeprecationHandler.INSTANCE, hit.getSourceAsString()); | ||
CorrelationAlert correlationAlert = CorrelationAlert.docParse(xcp, hit.getId(), hit.getVersion()); | ||
alerts.add(correlationAlert); | ||
} | ||
return alerts; | ||
Check warning on line 118 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertService.java#L114-L118
|
||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
package org.opensearch.securityanalytics.correlation.alert; | ||
|
||
import org.opensearch.securityanalytics.model.CorrelationAlert; | ||
|
||
import java.util.List; | ||
|
||
/** | ||
* Wrapper class that holds list of correlation alerts and total number of alerts available. | ||
* Useful for pagination. | ||
*/ | ||
public class CorrelationAlertsList { | ||
|
||
private final List<CorrelationAlert> correlationAlertList; | ||
private final Integer totalAlerts; | ||
|
||
public CorrelationAlertsList(List<CorrelationAlert> correlationAlertList, Integer totalAlerts) { | ||
this.correlationAlertList = correlationAlertList; | ||
this.totalAlerts = totalAlerts; | ||
} | ||
Check warning on line 23 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertsList.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertsList.java#L20-L23
|
||
|
||
public List<CorrelationAlert> getCorrelationAlertList() { | ||
return correlationAlertList; | ||
Check warning on line 26 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertsList.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertsList.java#L26
|
||
} | ||
|
||
public Integer getTotalAlerts() { | ||
return totalAlerts; | ||
Check warning on line 30 in src/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertsList.java Codecov / codecov/patchsrc/main/java/org/opensearch/securityanalytics/correlation/alert/CorrelationAlertsList.java#L30
|
||
} | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: can we move the ActionListener as the last parameter for consistency?