Skip to content

Commit

Permalink
correlation rule search, delete and edit api (#476)
Browse files Browse the repository at this point in the history
Signed-off-by: Subhobrata Dey <[email protected]>
(cherry picked from commit 61715cd)
  • Loading branch information
sbcd90 authored and github-actions[bot] committed Jul 11, 2023
1 parent 9788781 commit aa1fcd7
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,15 +42,19 @@ public String getName() {
@Override
public List<Route> routes() {
return List.of(
new Route(RestRequest.Method.POST, SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI)
new Route(RestRequest.Method.POST, SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI),
new Route(RestRequest.Method.PUT, String.format(Locale.getDefault(),
"%s/{%s}",
SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI,
"correlation_rule_id"))
);
}

@Override
protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
log.debug(String.format(Locale.ROOT, "%s %s", request.method(), SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI));

String id = request.param("rule_id", CorrelationRule.NO_ID);
String id = request.param("correlation_rule_id", CorrelationRule.NO_ID);

XContentParser xcp = request.contentParser();

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ protected void doExecute(Task task, DeleteCorrelationRuleRequest request, Action
new DeleteByQueryRequestBuilder(client, DeleteByQueryAction.INSTANCE)
.source(CorrelationRule.CORRELATION_RULE_INDEX)
.filter(QueryBuilders.matchQuery("_id", correlationRuleId))
.refresh(true)
.execute(new ActionListener<>() {
@Override
public void onResponse(BulkByScrollResponse response) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
*/
package org.opensearch.securityanalytics.correlation;

import org.apache.hc.core5.http.io.entity.StringEntity;
import org.apache.hc.core5.http.message.BasicHeader;
import org.junit.Assert;
import org.opensearch.client.Response;
import org.opensearch.client.ResponseException;
Expand All @@ -13,6 +15,7 @@

import java.io.IOException;
import java.util.Collections;
import java.util.Map;

import static org.opensearch.securityanalytics.TestHelpers.randomCorrelationRule;

Expand All @@ -33,4 +36,81 @@ public void testCreateCorrelationRuleWithInvalidName() {
String actualMessage = exception.getMessage();
Assert.assertTrue(actualMessage.contains(expectedMessage));
}

@SuppressWarnings("unchecked")
public void testUpdateCorrelationRule() throws IOException {
CorrelationRule rule = randomCorrelationRule("custom-rule");
Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule));
Assert.assertEquals(201, response.getStatusLine().getStatusCode());
Map<String, Object> responseMap = responseAsMap(response);
Assert.assertEquals("custom-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));

String id = responseMap.get("_id").toString();

rule = randomCorrelationRule("custom-updated-rule");
response = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/" + id, Collections.emptyMap(), toHttpEntity(rule));
Assert.assertEquals(200, response.getStatusLine().getStatusCode());
responseMap = responseAsMap(response);
Assert.assertEquals("custom-updated-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));
}

@SuppressWarnings("unchecked")
public void testDeleteCorrelationRule() throws IOException {
CorrelationRule rule = randomCorrelationRule("custom-rule");
Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule));
Assert.assertEquals(201, response.getStatusLine().getStatusCode());
Map<String, Object> responseMap = responseAsMap(response);
Assert.assertEquals("custom-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));
String id = responseMap.get("_id").toString();

String request = "{\n" +
" \"query\" : {\n" +
" \"match_all\":{\n" +
" }\n" +
" }\n" +
"}";
response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json"));
responseMap = responseAsMap(response);
Assert.assertEquals(1, Integer.parseInt(((Map<String, Object>) ((Map<String, Object>) responseMap.get("hits")).get("total")).get("value").toString()));

response = makeRequest(client(), "DELETE", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/" + id, Collections.emptyMap(), null);
Assert.assertEquals(200, response.getStatusLine().getStatusCode());

request = "{\n" +
" \"query\" : {\n" +
" \"match_all\":{\n" +
" }\n" +
" }\n" +
"}";
response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json"));
responseMap = responseAsMap(response);
Assert.assertEquals(0, Integer.parseInt(((Map<String, Object>) ((Map<String, Object>) responseMap.get("hits")).get("total")).get("value").toString()));
}

@SuppressWarnings("unchecked")
public void testSearchCorrelationRule() throws IOException {
CorrelationRule rule = randomCorrelationRule("custom-rule");
Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule));
Assert.assertEquals(201, response.getStatusLine().getStatusCode());
Map<String, Object> responseMap = responseAsMap(response);
Assert.assertEquals("custom-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));

String request = "{\n" +
" \"query\": {\n" +
" \"nested\": {\n" +
" \"path\": \"correlate\",\n" +
" \"query\": {\n" +
" \"bool\": {\n" +
" \"must\": [\n" +
" { \"match\": {\"correlate.category\": \"network\"}}\n" +
" ]\n" +
" }\n" +
" }\n" +
" }\n" +
" }\n" +
"}";
response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json"));
responseMap = responseAsMap(response);
Assert.assertEquals(1, Integer.parseInt(((Map<String, Object>) ((Map<String, Object>) responseMap.get("hits")).get("total")).get("value").toString()));
}
}

0 comments on commit aa1fcd7

Please sign in to comment.