#124 Add Search Query in Create/Update THEN-AND-OR Rules

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/AlertRuleResource.java

@@ -19,6 +19,7 @@
 package com.airbus_cyber_security.graylog.wizard.alert.rest;
 
 import com.airbus_cyber_security.graylog.events.notifications.types.LoggingNotificationConfig;
+import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessorConfig;
 import com.airbus_cyber_security.graylog.wizard.alert.business.*;
 import com.airbus_cyber_security.graylog.wizard.alert.business.AlertRuleService;
 import com.airbus_cyber_security.graylog.wizard.alert.model.*;
@@ -196,8 +197,13 @@ private GetDataAlertRule constructDataAlertRule(AlertRule alert) {
             EventDefinitionDto eventDefinitionDto = event.get();
             eventIdentifier = eventDefinitionDto.id();
             description = eventDefinitionDto.description();
-            if(eventDefinitionDto.config() != null && eventDefinitionDto.config() instanceof AggregationEventProcessorConfig) {
-                searchQuery = ((AggregationEventProcessorConfig) eventDefinitionDto.config()).query();
+            if(eventDefinitionDto.config() != null) {
+                if(eventDefinitionDto.config() instanceof AggregationEventProcessorConfig) {
+                    searchQuery = ((AggregationEventProcessorConfig) eventDefinitionDto.config()).query();
+                }
+                if(eventDefinitionDto.config() instanceof CorrelationCountProcessorConfig) {
+                    searchQuery = ((CorrelationCountProcessorConfig) eventDefinitionDto.config()).searchQuery();
+                }
             }
         }
 
@@ -423,13 +429,14 @@ private DisjunctionAlertPattern createDisjunctionAlertPattern(String notificatio
 
     private CorrelationAlertPattern createCorrelationAlertPattern(String notificationIdentifier, AlertRuleRequest request, String alertTitle, UserContext userContext, String userName, TriggeringConditions conditions) throws ValidationException {
         String description = request.getDescription();
+        String searchQuery = request.getSearchQuery();
         AlertType alertType = request.getConditionType();
         Map<String, Object> conditionParameters = request.conditionParameters();
 
         TriggeringConditions conditions2 = createTriggeringConditions(request.getSecondStream(), alertTitle + "#2", userName);
         String streamIdentifier = conditions.outputStreamIdentifier();
         String streamIdentifier2 = conditions2.outputStreamIdentifier();
-        EventProcessorConfig configuration = this.conversions.createCorrelationCondition(alertType, streamIdentifier, streamIdentifier2, conditionParameters);
+        EventProcessorConfig configuration = this.conversions.createCorrelationCondition(alertType, streamIdentifier, streamIdentifier2, searchQuery, conditionParameters);
         String eventIdentifier = this.eventDefinitionService.createEvent(alertTitle, description, notificationIdentifier, configuration, userContext);
         return CorrelationAlertPattern.builder().conditions1(conditions).conditions2(conditions2).eventIdentifier(eventIdentifier).build();
     }
@@ -455,7 +462,7 @@ private AlertPattern updateAlertPattern(AlertPattern previousAlertPattern, Strin
 
             String streamIdentifier = conditions.outputStreamIdentifier();
             String streamIdentifier2 = conditions2.outputStreamIdentifier();
-            EventProcessorConfig configuration = this.conversions.createCorrelationCondition(alertType, streamIdentifier, streamIdentifier2, request.conditionParameters());
+            EventProcessorConfig configuration = this.conversions.createCorrelationCondition(alertType, streamIdentifier, streamIdentifier2, request.getSearchQuery(), request.conditionParameters());
             this.eventDefinitionService.updateEvent(title, request.getDescription(), previousPattern.eventIdentifier(), configuration);
 
             return previousPattern.toBuilder().conditions1(conditions).build();

src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/Conversions.java

@@ -293,7 +293,7 @@ private int accessThreshold(Map<String, Object> conditionParameter) {
 
     // TODO move method to AlertRuleUtils?
     // TODO instead of a String, the type could already be a com.airbus_cyber_security.graylog.events.processor.correlation.checks.OrderType
-    EventProcessorConfig createCorrelationCondition(AlertType type, String streamID, String streamID2, Map<String, Object> conditionParameter) {
+    EventProcessorConfig createCorrelationCondition(AlertType type, String streamID, String streamID2, String searchQuery, Map<String, Object> conditionParameter) {
         OrderType messageOrder;
         if (type == AlertType.THEN) {
             messageOrder = OrderType.AFTER;
@@ -321,7 +321,7 @@ EventProcessorConfig createCorrelationCondition(AlertType type, String streamID,
                 // TODO CorrelationCountProcessorConfig.groupingFields should be of type List (or better just Collection/Iterable) rather than Set
                 .groupingFields((List<String>) conditionParameter.get(GROUPING_FIELDS))
                 .comment(Description.COMMENT_ALERT_WIZARD)
-                .searchQuery("*")
+                .searchQuery(searchQuery)
                 .build();
     }
 

src/web/wizard/components/conditions/CorrelationCondition.jsx

@@ -29,6 +29,7 @@ import Description from 'wizard/components/inputs/Description';
 import GroupByInput from 'wizard/components/inputs/GroupByInput';
 import IconArrowsV from 'wizard/components/icons/ArrowsV';
 import HighlightedDiv from 'wizard/components/containers/HighlightedDiv';
+import SearchQueryInput from "wizard/components/inputs/SearchQueryInput";
 
 const STREAM = {
     matching_type: '',
@@ -152,11 +153,12 @@ const CorrelationCondition = createReactClass({
                 <br/>
                 <GroupByInput onUpdate={this._handleChangeCondition} grouping_fields={this.state.alert.condition_parameters.grouping_fields} />
                 <br/>
+                <SearchQueryInput onUpdate={this.props.onUpdate} search_query={this.props.alert.search_query}/>
+                <br/>
                 <Description onUpdate={this.props.onUpdate} description={this.state.alert.description}/>
                 <br/>
             </>
         );
-
     },
 });
 

src/web/wizard/components/conditions/OrCondition.jsx

@@ -21,13 +21,13 @@ import React from 'react';
 import createReactClass from 'create-react-class';
 import ObjectUtils from 'util/ObjectUtils';
 import { FormattedMessage } from 'react-intl';
-import TitleSeverity from 'wizard/components/inputs/TitleSeverity';
 import FieldsInput from 'wizard/components/inputs/FieldsInput';
 import NumberInput from 'wizard/components/inputs/NumberInput';
 import TimeRangeInput from 'wizard/components/inputs/TimeRangeInput';
 import Description from 'wizard/components/inputs/Description';
 import { Row, Col } from 'components/bootstrap';
 import HighlightedDiv from 'wizard/components/containers/HighlightedDiv';
+import SearchQueryInput from "wizard/components/inputs/SearchQueryInput";
 
 const STREAM = {
     matching_type: '',
@@ -104,6 +104,8 @@ const OrCondition = createReactClass({
                 <br/>
                 <TimeRangeInput onUpdate={this._handleChangeCondition} time={time.toString()} time_type={time_type.toString()} />
                 <br/>
+                <SearchQueryInput onUpdate={this.props.onUpdate} search_query={this.props.alert.search_query}/>
+                <br/>
                 <Description onUpdate={this.props.onUpdate} description={this.props.alert.description}/>
                 <br/>
             </>