From 0d24cb4d04e41613c77fc1afb81553ca5f6617c8 Mon Sep 17 00:00:00 2001 From: Riya Saxena Date: Tue, 30 Jan 2024 16:04:48 -0800 Subject: [PATCH 1/4] added support for param in Finding API Signed-off-by: Riya Saxena --- .../alerting/resthandler/RestGetFindingsAction.kt | 4 +++- .../transport/TransportGetFindingsAction.kt | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt index 75607a701..22b01fbbb 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt @@ -45,6 +45,7 @@ class RestGetFindingsAction : BaseRestHandler() { val size = request.paramAsInt("size", 20) val startIndex = request.paramAsInt("startIndex", 0) val searchString = request.param("searchString", "") + val severity: String? = request.param("severity", "ALL") val table = Table( sortOrder, @@ -57,7 +58,8 @@ class RestGetFindingsAction : BaseRestHandler() { val getFindingsSearchRequest = GetFindingsRequest( findingID, - table + table, + severity ) return RestChannelConsumer { channel -> diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt index 35f04558f..f64462b0e 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt @@ -82,6 +82,7 @@ class TransportGetFindingsSearchAction @Inject constructor( val getFindingsRequest = request as? GetFindingsRequest ?: recreateObject(request) { GetFindingsRequest(it) } val tableProp = getFindingsRequest.table + val severity = getFindingsRequest.severity val sortBuilder = SortBuilders .fieldSort(tableProp.sortString) @@ -109,6 +110,19 @@ class TransportGetFindingsSearchAction @Inject constructor( queryBuilder.filter(QueryBuilders.termsQuery("monitor_id", getFindingsRequest.monitorIds)) } + if (!severity.isNullOrBlank()) { + queryBuilder + .must( + QueryBuilders.nestedQuery( + "queries", + QueryBuilders.boolQuery().should( + QueryBuilders.matchQuery("queries.tags", severity) + ), + ScoreMode.None + ) + ) + } + if (!tableProp.searchString.isNullOrBlank()) { queryBuilder .should( From ee792d6f87f55d4bcf96f341457dbff018b4c1b4 Mon Sep 17 00:00:00 2001 From: Riya Saxena Date: Tue, 30 Jan 2024 18:54:04 -0800 Subject: [PATCH 2/4] added detectionType as param for Findings API enhancements Signed-off-by: Riya Saxena --- .../resthandler/RestGetFindingsAction.kt | 4 +++- .../transport/TransportGetFindingsAction.kt | 23 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt index 22b01fbbb..1270e3cab 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt @@ -46,6 +46,7 @@ class RestGetFindingsAction : BaseRestHandler() { val startIndex = request.paramAsInt("startIndex", 0) val searchString = request.param("searchString", "") val severity: String? = request.param("severity", "ALL") + val detectionType: String? = request.param("detectionType", "rules") val table = Table( sortOrder, @@ -59,7 +60,8 @@ class RestGetFindingsAction : BaseRestHandler() { val getFindingsSearchRequest = GetFindingsRequest( findingID, table, - severity + severity, + detectionType ) return RestChannelConsumer { channel -> diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt index f64462b0e..89d2eebb8 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt @@ -83,6 +83,7 @@ class TransportGetFindingsSearchAction @Inject constructor( ?: recreateObject(request) { GetFindingsRequest(it) } val tableProp = getFindingsRequest.table val severity = getFindingsRequest.severity + val detectionType = getFindingsRequest.detectionType val sortBuilder = SortBuilders .fieldSort(tableProp.sortString) @@ -110,6 +111,28 @@ class TransportGetFindingsSearchAction @Inject constructor( queryBuilder.filter(QueryBuilders.termsQuery("monitor_id", getFindingsRequest.monitorIds)) } + if (!detectionType.isNullOrBlank()) { + val nestedQueryBuilder = QueryBuilders.nestedQuery( + "queries", + when { + detectionType.equals("threat", ignoreCase = true) -> { + QueryBuilders.boolQuery().filter( + QueryBuilders.prefixQuery("queries.id", "threat_intel_") + ) + } + else -> { + QueryBuilders.boolQuery().mustNot( + QueryBuilders.prefixQuery("queries.id", "threat_intel_") + ) + } + }, + ScoreMode.None + ) + + // Add the nestedQueryBuilder to the main queryBuilder + queryBuilder.must(nestedQueryBuilder) + } + if (!severity.isNullOrBlank()) { queryBuilder .must( From a360cc73e5490188d2f498cd085031fb9d9bf53e Mon Sep 17 00:00:00 2001 From: Riya Saxena Date: Fri, 23 Feb 2024 20:24:25 -0800 Subject: [PATCH 3/4] added searchString param in FIndingsAPI Signed-off-by: Riya Saxena --- .../transport/TransportGetFindingsAction.kt | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt index 89d2eebb8..95133e9fc 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt @@ -84,6 +84,7 @@ class TransportGetFindingsSearchAction @Inject constructor( val tableProp = getFindingsRequest.table val severity = getFindingsRequest.severity val detectionType = getFindingsRequest.detectionType + val searchString = tableProp.searchString val sortBuilder = SortBuilders .fieldSort(tableProp.sortString) @@ -133,6 +134,20 @@ class TransportGetFindingsSearchAction @Inject constructor( queryBuilder.must(nestedQueryBuilder) } + if (!searchString.isNullOrBlank()) { + queryBuilder + .should(QueryBuilders.matchQuery("index", searchString)) + .should( + QueryBuilders.nestedQuery( + "queries", + QueryBuilders.matchQuery("queries.tags", searchString), + ScoreMode.None + ) + ) + .should(QueryBuilders.regexpQuery("monitor_name", searchString + ".*")) + .minimumShouldMatch(1) + } + if (!severity.isNullOrBlank()) { queryBuilder .must( From b9d9211caf51b7bacab1a75d676c7083bac0cccc Mon Sep 17 00:00:00 2001 From: Riya Saxena Date: Thu, 29 Feb 2024 09:17:43 -0800 Subject: [PATCH 4/4] adding addiional params findingIds, startTime and endTime Signed-off-by: Riya Saxena --- .../transport/TransportGetFindingsAction.kt | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt index 95133e9fc..0357889aa 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt @@ -106,12 +106,25 @@ class TransportGetFindingsSearchAction @Inject constructor( if (!getFindingsRequest.findingId.isNullOrBlank()) queryBuilder.filter(QueryBuilders.termQuery("_id", getFindingsRequest.findingId)) + if (!getFindingsRequest.findingIds.isNullOrEmpty()) { + queryBuilder.filter(QueryBuilders.termsQuery("id", getFindingsRequest.findingIds)) + } + if (getFindingsRequest.monitorId != null) { queryBuilder.filter(QueryBuilders.termQuery("monitor_id", getFindingsRequest.monitorId)) } else if (getFindingsRequest.monitorIds.isNullOrEmpty() == false) { queryBuilder.filter(QueryBuilders.termsQuery("monitor_id", getFindingsRequest.monitorIds)) } + if (getFindingsRequest.startTime != null && getFindingsRequest.endTime != null) { + val startTime = getFindingsRequest.startTime!!.toEpochMilli() + val endTime = getFindingsRequest.endTime!!.toEpochMilli() + val timeRangeQuery = QueryBuilders.rangeQuery("timestamp") + .from(startTime) // Greater than or equal to start time + .to(endTime) // Less than or equal to end time + queryBuilder.filter(timeRangeQuery) + } + if (!detectionType.isNullOrBlank()) { val nestedQueryBuilder = QueryBuilders.nestedQuery( "queries", @@ -182,7 +195,6 @@ class TransportGetFindingsSearchAction @Inject constructor( ) ) } - searchSourceBuilder.query(queryBuilder) client.threadPool().threadContext.stashContext().use {