Feature findings enhancemnt (#1427)

* added support for param in Finding API Signed-off-by: Riya Saxena <[email protected]> * added detectionType as param for Findings API enhancements Signed-off-by: Riya Saxena <[email protected]> * added searchString param in FIndingsAPI Signed-off-by: Riya Saxena <[email protected]> * adding addiional params findingIds, startTime and endTime Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya Saxena <[email protected]>
opensearch-project · Mar 9, 2024 · 2420c2c · 2420c2c
1 parent afa4f5d
commit 2420c2c
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 2 deletions.
diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt
@@ -45,6 +45,8 @@ class RestGetFindingsAction : BaseRestHandler() {
         val size = request.paramAsInt("size", 20)
         val startIndex = request.paramAsInt("startIndex", 0)
         val searchString = request.param("searchString", "")
+        val severity: String? = request.param("severity", "ALL")
+        val detectionType: String? = request.param("detectionType", "rules")
 
         val table = Table(
             sortOrder,
@@ -57,7 +59,9 @@ class RestGetFindingsAction : BaseRestHandler() {
 
         val getFindingsSearchRequest = GetFindingsRequest(
             findingID,
-            table
+            table,
+            severity,
+            detectionType
         )
         return RestChannelConsumer {
                 channel ->

diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt
@@ -82,6 +82,9 @@ class TransportGetFindingsSearchAction @Inject constructor(
         val getFindingsRequest = request as? GetFindingsRequest
             ?: recreateObject(request) { GetFindingsRequest(it) }
         val tableProp = getFindingsRequest.table
+        val severity = getFindingsRequest.severity
+        val detectionType = getFindingsRequest.detectionType
+        val searchString = tableProp.searchString
 
         val sortBuilder = SortBuilders
             .fieldSort(tableProp.sortString)
@@ -103,12 +106,74 @@ class TransportGetFindingsSearchAction @Inject constructor(
         if (!getFindingsRequest.findingId.isNullOrBlank())
             queryBuilder.filter(QueryBuilders.termQuery("_id", getFindingsRequest.findingId))
 
+        if (!getFindingsRequest.findingIds.isNullOrEmpty()) {
+            queryBuilder.filter(QueryBuilders.termsQuery("id", getFindingsRequest.findingIds))
+        }
+
         if (getFindingsRequest.monitorId != null) {
             queryBuilder.filter(QueryBuilders.termQuery("monitor_id", getFindingsRequest.monitorId))
         } else if (getFindingsRequest.monitorIds.isNullOrEmpty() == false) {
             queryBuilder.filter(QueryBuilders.termsQuery("monitor_id", getFindingsRequest.monitorIds))
         }
 
+        if (getFindingsRequest.startTime != null && getFindingsRequest.endTime != null) {
+            val startTime = getFindingsRequest.startTime!!.toEpochMilli()
+            val endTime = getFindingsRequest.endTime!!.toEpochMilli()
+            val timeRangeQuery = QueryBuilders.rangeQuery("timestamp")
+                .from(startTime) // Greater than or equal to start time
+                .to(endTime) // Less than or equal to end time
+            queryBuilder.filter(timeRangeQuery)
+        }
+
+        if (!detectionType.isNullOrBlank()) {
+            val nestedQueryBuilder = QueryBuilders.nestedQuery(
+                "queries",
+                when {
+                    detectionType.equals("threat", ignoreCase = true) -> {
+                        QueryBuilders.boolQuery().filter(
+                            QueryBuilders.prefixQuery("queries.id", "threat_intel_")
+                        )
+                    }
+                    else -> {
+                        QueryBuilders.boolQuery().mustNot(
+                            QueryBuilders.prefixQuery("queries.id", "threat_intel_")
+                        )
+                    }
+                },
+                ScoreMode.None
+            )
+
+            // Add the nestedQueryBuilder to the main queryBuilder
+            queryBuilder.must(nestedQueryBuilder)
+        }
+
+        if (!searchString.isNullOrBlank()) {
+            queryBuilder
+                .should(QueryBuilders.matchQuery("index", searchString))
+                .should(
+                    QueryBuilders.nestedQuery(
+                        "queries",
+                        QueryBuilders.matchQuery("queries.tags", searchString),
+                        ScoreMode.None
+                    )
+                )
+                .should(QueryBuilders.regexpQuery("monitor_name", searchString + ".*"))
+                .minimumShouldMatch(1)
+        }
+
+        if (!severity.isNullOrBlank()) {
+            queryBuilder
+                .must(
+                    QueryBuilders.nestedQuery(
+                        "queries",
+                        QueryBuilders.boolQuery().should(
+                            QueryBuilders.matchQuery("queries.tags", severity)
+                        ),
+                        ScoreMode.None
+                    )
+                )
+        }
+
         if (!tableProp.searchString.isNullOrBlank()) {
             queryBuilder
                 .should(
@@ -130,7 +195,6 @@ class TransportGetFindingsSearchAction @Inject constructor(
                     )
                 )
         }
-
         searchSourceBuilder.query(queryBuilder)
 
         client.threadPool().threadContext.stashContext().use {