From e8c4b5847f57b40f98a653832306f99c50a6f0aa Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 25 Mar 2024 21:03:22 +0000 Subject: [PATCH] Feature findings enhancemnt (#1427) * added support for param in Finding API Signed-off-by: Riya Saxena * added detectionType as param for Findings API enhancements Signed-off-by: Riya Saxena * added searchString param in FIndingsAPI Signed-off-by: Riya Saxena * adding addiional params findingIds, startTime and endTime Signed-off-by: Riya Saxena --------- Signed-off-by: Riya Saxena (cherry picked from commit 2420c2ccfd2c4fa6405527d062f916269bbf4e57) Signed-off-by: github-actions[bot] --- .../resthandler/RestGetFindingsAction.kt | 6 +- .../transport/TransportGetFindingsAction.kt | 66 ++++++++++++++++++- 2 files changed, 70 insertions(+), 2 deletions(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt index 75607a701..1270e3cab 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt @@ -45,6 +45,8 @@ class RestGetFindingsAction : BaseRestHandler() { val size = request.paramAsInt("size", 20) val startIndex = request.paramAsInt("startIndex", 0) val searchString = request.param("searchString", "") + val severity: String? = request.param("severity", "ALL") + val detectionType: String? = request.param("detectionType", "rules") val table = Table( sortOrder, @@ -57,7 +59,9 @@ class RestGetFindingsAction : BaseRestHandler() { val getFindingsSearchRequest = GetFindingsRequest( findingID, - table + table, + severity, + detectionType ) return RestChannelConsumer { channel -> diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt index d5d5cc9d9..ae7548d13 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt @@ -84,6 +84,9 @@ class TransportGetFindingsSearchAction @Inject constructor( val getFindingsRequest = request as? GetFindingsRequest ?: recreateObject(request) { GetFindingsRequest(it) } val tableProp = getFindingsRequest.table + val severity = getFindingsRequest.severity + val detectionType = getFindingsRequest.detectionType + val searchString = tableProp.searchString val sortBuilder = SortBuilders .fieldSort(tableProp.sortString) @@ -106,12 +109,74 @@ class TransportGetFindingsSearchAction @Inject constructor( queryBuilder.filter(QueryBuilders.termQuery("_id", getFindingsRequest.findingId)) } + if (!getFindingsRequest.findingIds.isNullOrEmpty()) { + queryBuilder.filter(QueryBuilders.termsQuery("id", getFindingsRequest.findingIds)) + } + if (getFindingsRequest.monitorId != null) { queryBuilder.filter(QueryBuilders.termQuery("monitor_id", getFindingsRequest.monitorId)) } else if (getFindingsRequest.monitorIds.isNullOrEmpty() == false) { queryBuilder.filter(QueryBuilders.termsQuery("monitor_id", getFindingsRequest.monitorIds)) } + if (getFindingsRequest.startTime != null && getFindingsRequest.endTime != null) { + val startTime = getFindingsRequest.startTime!!.toEpochMilli() + val endTime = getFindingsRequest.endTime!!.toEpochMilli() + val timeRangeQuery = QueryBuilders.rangeQuery("timestamp") + .from(startTime) // Greater than or equal to start time + .to(endTime) // Less than or equal to end time + queryBuilder.filter(timeRangeQuery) + } + + if (!detectionType.isNullOrBlank()) { + val nestedQueryBuilder = QueryBuilders.nestedQuery( + "queries", + when { + detectionType.equals("threat", ignoreCase = true) -> { + QueryBuilders.boolQuery().filter( + QueryBuilders.prefixQuery("queries.id", "threat_intel_") + ) + } + else -> { + QueryBuilders.boolQuery().mustNot( + QueryBuilders.prefixQuery("queries.id", "threat_intel_") + ) + } + }, + ScoreMode.None + ) + + // Add the nestedQueryBuilder to the main queryBuilder + queryBuilder.must(nestedQueryBuilder) + } + + if (!searchString.isNullOrBlank()) { + queryBuilder + .should(QueryBuilders.matchQuery("index", searchString)) + .should( + QueryBuilders.nestedQuery( + "queries", + QueryBuilders.matchQuery("queries.tags", searchString), + ScoreMode.None + ) + ) + .should(QueryBuilders.regexpQuery("monitor_name", searchString + ".*")) + .minimumShouldMatch(1) + } + + if (!severity.isNullOrBlank()) { + queryBuilder + .must( + QueryBuilders.nestedQuery( + "queries", + QueryBuilders.boolQuery().should( + QueryBuilders.matchQuery("queries.tags", severity) + ), + ScoreMode.None + ) + ) + } + if (!tableProp.searchString.isNullOrBlank()) { queryBuilder .should( @@ -133,7 +198,6 @@ class TransportGetFindingsSearchAction @Inject constructor( ) ) } - searchSourceBuilder.query(queryBuilder) client.threadPool().threadContext.stashContext().use {