From 8b09d01f39dfd0d57d7d93f17aa256727ef45120 Mon Sep 17 00:00:00 2001 From: VincentD06 Date: Wed, 19 Jun 2024 11:22:05 +0200 Subject: [PATCH] #124 Add Search Query in Create/Update THEN-AND-OR Rules --- .../wizard/alert/rest/AlertRuleResource.java | 15 +++++++++++---- .../graylog/wizard/alert/rest/Conversions.java | 4 ++-- .../conditions/CorrelationCondition.jsx | 4 +++- .../wizard/components/conditions/OrCondition.jsx | 4 +++- 4 files changed, 19 insertions(+), 8 deletions(-) diff --git a/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/AlertRuleResource.java b/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/AlertRuleResource.java index 23b91647..e8815d98 100755 --- a/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/AlertRuleResource.java +++ b/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/AlertRuleResource.java @@ -19,6 +19,7 @@ package com.airbus_cyber_security.graylog.wizard.alert.rest; import com.airbus_cyber_security.graylog.events.notifications.types.LoggingNotificationConfig; +import com.airbus_cyber_security.graylog.events.processor.correlation.CorrelationCountProcessorConfig; import com.airbus_cyber_security.graylog.wizard.alert.business.*; import com.airbus_cyber_security.graylog.wizard.alert.business.AlertRuleService; import com.airbus_cyber_security.graylog.wizard.alert.model.*; @@ -196,8 +197,13 @@ private GetDataAlertRule constructDataAlertRule(AlertRule alert) { EventDefinitionDto eventDefinitionDto = event.get(); eventIdentifier = eventDefinitionDto.id(); description = eventDefinitionDto.description(); - if(eventDefinitionDto.config() != null && eventDefinitionDto.config() instanceof AggregationEventProcessorConfig) { - searchQuery = ((AggregationEventProcessorConfig) eventDefinitionDto.config()).query(); + if(eventDefinitionDto.config() != null) { + if(eventDefinitionDto.config() instanceof AggregationEventProcessorConfig) { + searchQuery = ((AggregationEventProcessorConfig) eventDefinitionDto.config()).query(); + } + if(eventDefinitionDto.config() instanceof CorrelationCountProcessorConfig) { + searchQuery = ((CorrelationCountProcessorConfig) eventDefinitionDto.config()).searchQuery(); + } } } @@ -423,13 +429,14 @@ private DisjunctionAlertPattern createDisjunctionAlertPattern(String notificatio private CorrelationAlertPattern createCorrelationAlertPattern(String notificationIdentifier, AlertRuleRequest request, String alertTitle, UserContext userContext, String userName, TriggeringConditions conditions) throws ValidationException { String description = request.getDescription(); + String searchQuery = request.getSearchQuery(); AlertType alertType = request.getConditionType(); Map conditionParameters = request.conditionParameters(); TriggeringConditions conditions2 = createTriggeringConditions(request.getSecondStream(), alertTitle + "#2", userName); String streamIdentifier = conditions.outputStreamIdentifier(); String streamIdentifier2 = conditions2.outputStreamIdentifier(); - EventProcessorConfig configuration = this.conversions.createCorrelationCondition(alertType, streamIdentifier, streamIdentifier2, conditionParameters); + EventProcessorConfig configuration = this.conversions.createCorrelationCondition(alertType, streamIdentifier, streamIdentifier2, searchQuery, conditionParameters); String eventIdentifier = this.eventDefinitionService.createEvent(alertTitle, description, notificationIdentifier, configuration, userContext); return CorrelationAlertPattern.builder().conditions1(conditions).conditions2(conditions2).eventIdentifier(eventIdentifier).build(); } @@ -455,7 +462,7 @@ private AlertPattern updateAlertPattern(AlertPattern previousAlertPattern, Strin String streamIdentifier = conditions.outputStreamIdentifier(); String streamIdentifier2 = conditions2.outputStreamIdentifier(); - EventProcessorConfig configuration = this.conversions.createCorrelationCondition(alertType, streamIdentifier, streamIdentifier2, request.conditionParameters()); + EventProcessorConfig configuration = this.conversions.createCorrelationCondition(alertType, streamIdentifier, streamIdentifier2, request.getSearchQuery(), request.conditionParameters()); this.eventDefinitionService.updateEvent(title, request.getDescription(), previousPattern.eventIdentifier(), configuration); return previousPattern.toBuilder().conditions1(conditions).build(); diff --git a/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/Conversions.java b/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/Conversions.java index dcde2d32..0c05e890 100755 --- a/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/Conversions.java +++ b/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/rest/Conversions.java @@ -293,7 +293,7 @@ private int accessThreshold(Map conditionParameter) { // TODO move method to AlertRuleUtils? // TODO instead of a String, the type could already be a com.airbus_cyber_security.graylog.events.processor.correlation.checks.OrderType - EventProcessorConfig createCorrelationCondition(AlertType type, String streamID, String streamID2, Map conditionParameter) { + EventProcessorConfig createCorrelationCondition(AlertType type, String streamID, String streamID2, String searchQuery, Map conditionParameter) { OrderType messageOrder; if (type == AlertType.THEN) { messageOrder = OrderType.AFTER; @@ -321,7 +321,7 @@ EventProcessorConfig createCorrelationCondition(AlertType type, String streamID, // TODO CorrelationCountProcessorConfig.groupingFields should be of type List (or better just Collection/Iterable) rather than Set .groupingFields((List) conditionParameter.get(GROUPING_FIELDS)) .comment(Description.COMMENT_ALERT_WIZARD) - .searchQuery("*") + .searchQuery(searchQuery) .build(); } diff --git a/src/web/wizard/components/conditions/CorrelationCondition.jsx b/src/web/wizard/components/conditions/CorrelationCondition.jsx index de32f117..b54b83a7 100755 --- a/src/web/wizard/components/conditions/CorrelationCondition.jsx +++ b/src/web/wizard/components/conditions/CorrelationCondition.jsx @@ -29,6 +29,7 @@ import Description from 'wizard/components/inputs/Description'; import GroupByInput from 'wizard/components/inputs/GroupByInput'; import IconArrowsV from 'wizard/components/icons/ArrowsV'; import HighlightedDiv from 'wizard/components/containers/HighlightedDiv'; +import SearchQueryInput from "wizard/components/inputs/SearchQueryInput"; const STREAM = { matching_type: '', @@ -152,11 +153,12 @@ const CorrelationCondition = createReactClass({

+ +

); - }, }); diff --git a/src/web/wizard/components/conditions/OrCondition.jsx b/src/web/wizard/components/conditions/OrCondition.jsx index f918d9ce..e79bbd03 100755 --- a/src/web/wizard/components/conditions/OrCondition.jsx +++ b/src/web/wizard/components/conditions/OrCondition.jsx @@ -21,13 +21,13 @@ import React from 'react'; import createReactClass from 'create-react-class'; import ObjectUtils from 'util/ObjectUtils'; import { FormattedMessage } from 'react-intl'; -import TitleSeverity from 'wizard/components/inputs/TitleSeverity'; import FieldsInput from 'wizard/components/inputs/FieldsInput'; import NumberInput from 'wizard/components/inputs/NumberInput'; import TimeRangeInput from 'wizard/components/inputs/TimeRangeInput'; import Description from 'wizard/components/inputs/Description'; import { Row, Col } from 'components/bootstrap'; import HighlightedDiv from 'wizard/components/containers/HighlightedDiv'; +import SearchQueryInput from "wizard/components/inputs/SearchQueryInput"; const STREAM = { matching_type: '', @@ -104,6 +104,8 @@ const OrCondition = createReactClass({

+ +