Skip to content

Commit

Permalink
update alerts with an errorMessage when correlationRule is deleted
Browse files Browse the repository at this point in the history
Signed-off-by: Riya Saxena <[email protected]>
  • Loading branch information
riysaxen-amzn committed Jun 10, 2024
1 parent 462604d commit 3a1b9fa
Show file tree
Hide file tree
Showing 4 changed files with 47 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ public void indexCorrelationAlert(CorrelationAlert correlationAlert, TimeValue i
}
}

public void getAlerts(String ruleId, Table tableProp, ActionListener<GetCorrelationAlertsResponse> listener) {
public void getCorrelationAlerts(String ruleId, Table tableProp, ActionListener<GetCorrelationAlertsResponse> listener) {
BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery();
if (ruleId != null) {
queryBuilder = QueryBuilders.boolQuery()
Expand Down Expand Up @@ -267,6 +267,39 @@ public void onFailure(Exception e) {
});
}

public void updateCorrelationAlertsWithError(String correlationRuleId) {
BulkRequest bulkRequest = new BulkRequest();
BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery()
.must(QueryBuilders.termQuery("correlation_rule_id", correlationRuleId));
SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder().query(queryBuilder);
SearchRequest searchRequest = new SearchRequest(CorrelationIndices.CORRELATION_ALERT_INDEX)
.source(searchSourceBuilder);

// Execute the search request
client.search(searchRequest, new ActionListener<SearchResponse>() {
@Override
public void onResponse(SearchResponse searchResponse) {
// Iterate through the search hits
for (SearchHit hit : searchResponse.getHits().getHits()) {
// Construct a script to update the document with the new state and error_message
Script script = new Script(ScriptType.INLINE, "painless",
"ctx._source.state = params.state; ctx._source.error_message = params.error_message",
Map.of("state", Alert.State.ERROR, "error_message", "The rule associated to this Alert is deleted"));
// Create an update request with the script
UpdateRequest updateRequest = new UpdateRequest(CorrelationIndices.CORRELATION_ALERT_INDEX, hit.getId())
.script(script);
// Add the update request to the bulk request
bulkRequest.add(updateRequest);
client.bulk(bulkRequest);
}
}
@Override
public void onFailure(Exception e) {
log.error("Error updating the alerts with Error message for correlation ruleId: {}", correlationRuleId);
}
});
}


public List<CorrelationAlert> parseCorrelationAlerts(final SearchResponse response) throws IOException {
List<CorrelationAlert> alerts = new ArrayList<>();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

package org.opensearch.securityanalytics.transport;

import java.util.Collections;
import java.util.Locale;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
Expand All @@ -19,13 +20,15 @@
import org.opensearch.action.support.master.AcknowledgedResponse;
import org.opensearch.client.Client;
import org.opensearch.common.inject.Inject;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.index.query.QueryBuilders;
import org.opensearch.index.reindex.BulkByScrollResponse;
import org.opensearch.index.reindex.DeleteByQueryAction;
import org.opensearch.index.reindex.DeleteByQueryRequestBuilder;
import org.opensearch.core.rest.RestStatus;
import org.opensearch.securityanalytics.action.DeleteCorrelationRuleAction;
import org.opensearch.securityanalytics.action.DeleteCorrelationRuleRequest;
import org.opensearch.securityanalytics.correlation.alert.CorrelationAlertService;
import org.opensearch.securityanalytics.model.CorrelationRule;
import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
import org.opensearch.tasks.Task;
Expand All @@ -37,6 +40,9 @@ public class TransportDeleteCorrelationRuleAction extends HandledTransportAction

private final Client client;

private CorrelationAlertService correlationAlertService;


@Inject
public TransportDeleteCorrelationRuleAction(
TransportService transportService,
Expand All @@ -45,6 +51,7 @@ public TransportDeleteCorrelationRuleAction(
) {
super(DeleteCorrelationRuleAction.NAME, transportService, actionFilters, DeleteCorrelationRuleRequest::new);
this.client = client;
this.correlationAlertService = new CorrelationAlertService(client, new NamedXContentRegistry(Collections.emptyList()));
}

@Override
Expand Down Expand Up @@ -72,6 +79,9 @@ public void onResponse(BulkByScrollResponse response) {
);
return;
}
// update the alerts assosciated with correlation Rules, with error STATE and errorMessage
log.debug("Updating Correlation Alerts with error Message for ruleId: " + correlationRuleId);
correlationAlertService.updateCorrelationAlertsWithError(correlationRuleId);
listener.onResponse(new AcknowledgedResponse(true));
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,13 +61,13 @@ protected void doExecute(Task task, GetCorrelationAlertsRequest request, ActionL
}

if (request.getCorrelationRuleId() != null) {
correlationAlertService.getAlerts(
correlationAlertService.getCorrelationAlerts(
request.getCorrelationRuleId(),
request.getTable(),
actionListener
);
} else {
correlationAlertService.getAlerts(
correlationAlertService.getCorrelationAlerts(
null,
request.getTable(),
actionListener
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ public static CorrelationRule randomCorrelationRule(String name) {
List.of(
new CorrelationQuery("vpc_flow1", "dstaddr:192.168.1.*", "network", null),
new CorrelationQuery("ad_logs1", "azure.platformlogs.result_type:50126", "ad_ldap", null)
), 300000L);
), 300000L, null) ;
}

public static String randomRule() {
Expand Down

0 comments on commit 3a1b9fa

Please sign in to comment.