From 2420c2ccfd2c4fa6405527d062f916269bbf4e57 Mon Sep 17 00:00:00 2001 From: Riya <69919272+riysaxen-amzn@users.noreply.github.com> Date: Fri, 8 Mar 2024 16:39:37 -0800 Subject: [PATCH] Feature findings enhancemnt (#1427) * added support for param in Finding API Signed-off-by: Riya Saxena * added detectionType as param for Findings API enhancements Signed-off-by: Riya Saxena * added searchString param in FIndingsAPI Signed-off-by: Riya Saxena * adding addiional params findingIds, startTime and endTime Signed-off-by: Riya Saxena --------- Signed-off-by: Riya Saxena --- .../resthandler/RestGetFindingsAction.kt | 6 +- .../transport/TransportGetFindingsAction.kt | 66 ++++++++++++++++++- 2 files changed, 70 insertions(+), 2 deletions(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt index 75607a701..1270e3cab 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestGetFindingsAction.kt @@ -45,6 +45,8 @@ class RestGetFindingsAction : BaseRestHandler() { val size = request.paramAsInt("size", 20) val startIndex = request.paramAsInt("startIndex", 0) val searchString = request.param("searchString", "") + val severity: String? = request.param("severity", "ALL") + val detectionType: String? = request.param("detectionType", "rules") val table = Table( sortOrder, @@ -57,7 +59,9 @@ class RestGetFindingsAction : BaseRestHandler() { val getFindingsSearchRequest = GetFindingsRequest( findingID, - table + table, + severity, + detectionType ) return RestChannelConsumer { channel -> diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt index 35f04558f..0357889aa 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportGetFindingsAction.kt @@ -82,6 +82,9 @@ class TransportGetFindingsSearchAction @Inject constructor( val getFindingsRequest = request as? GetFindingsRequest ?: recreateObject(request) { GetFindingsRequest(it) } val tableProp = getFindingsRequest.table + val severity = getFindingsRequest.severity + val detectionType = getFindingsRequest.detectionType + val searchString = tableProp.searchString val sortBuilder = SortBuilders .fieldSort(tableProp.sortString) @@ -103,12 +106,74 @@ class TransportGetFindingsSearchAction @Inject constructor( if (!getFindingsRequest.findingId.isNullOrBlank()) queryBuilder.filter(QueryBuilders.termQuery("_id", getFindingsRequest.findingId)) + if (!getFindingsRequest.findingIds.isNullOrEmpty()) { + queryBuilder.filter(QueryBuilders.termsQuery("id", getFindingsRequest.findingIds)) + } + if (getFindingsRequest.monitorId != null) { queryBuilder.filter(QueryBuilders.termQuery("monitor_id", getFindingsRequest.monitorId)) } else if (getFindingsRequest.monitorIds.isNullOrEmpty() == false) { queryBuilder.filter(QueryBuilders.termsQuery("monitor_id", getFindingsRequest.monitorIds)) } + if (getFindingsRequest.startTime != null && getFindingsRequest.endTime != null) { + val startTime = getFindingsRequest.startTime!!.toEpochMilli() + val endTime = getFindingsRequest.endTime!!.toEpochMilli() + val timeRangeQuery = QueryBuilders.rangeQuery("timestamp") + .from(startTime) // Greater than or equal to start time + .to(endTime) // Less than or equal to end time + queryBuilder.filter(timeRangeQuery) + } + + if (!detectionType.isNullOrBlank()) { + val nestedQueryBuilder = QueryBuilders.nestedQuery( + "queries", + when { + detectionType.equals("threat", ignoreCase = true) -> { + QueryBuilders.boolQuery().filter( + QueryBuilders.prefixQuery("queries.id", "threat_intel_") + ) + } + else -> { + QueryBuilders.boolQuery().mustNot( + QueryBuilders.prefixQuery("queries.id", "threat_intel_") + ) + } + }, + ScoreMode.None + ) + + // Add the nestedQueryBuilder to the main queryBuilder + queryBuilder.must(nestedQueryBuilder) + } + + if (!searchString.isNullOrBlank()) { + queryBuilder + .should(QueryBuilders.matchQuery("index", searchString)) + .should( + QueryBuilders.nestedQuery( + "queries", + QueryBuilders.matchQuery("queries.tags", searchString), + ScoreMode.None + ) + ) + .should(QueryBuilders.regexpQuery("monitor_name", searchString + ".*")) + .minimumShouldMatch(1) + } + + if (!severity.isNullOrBlank()) { + queryBuilder + .must( + QueryBuilders.nestedQuery( + "queries", + QueryBuilders.boolQuery().should( + QueryBuilders.matchQuery("queries.tags", severity) + ), + ScoreMode.None + ) + ) + } + if (!tableProp.searchString.isNullOrBlank()) { queryBuilder .should( @@ -130,7 +195,6 @@ class TransportGetFindingsSearchAction @Inject constructor( ) ) } - searchSourceBuilder.query(queryBuilder) client.threadPool().threadContext.stashContext().use {