@Override public GroupResponse group(GroupRequest groupRequest) throws InvalidSearchException { // Make sure to escape any problematic characters here String sourceType = ClientUtils.escapeQueryChars(config.getSourceTypeField()); String baseQuery = groupRequest.getQuery(); String adjustedQuery = baseQuery + " -" + MetaAlertConstants.METAALERT_FIELD + ":[* TO *]" + " -" + sourceType + ":" + MetaAlertConstants.METAALERT_TYPE; LOG.debug("MetaAlert group adjusted query: {}", adjustedQuery); groupRequest.setQuery(adjustedQuery); return solrSearchDao.group(groupRequest); } }
/** * Builds the updates to be run based on a given metaalert and a set of new alerts for the it. * @param metaAlert The base metaalert we're building updates for * @param alerts The alerts being added * @return The set of resulting updates. */ protected Map<Document, Optional<String>> buildAddAlertToMetaAlertUpdates(Document metaAlert, Iterable<Document> alerts) { Map<Document, Optional<String>> updates = new HashMap<>(); boolean metaAlertUpdated = addAlertsToMetaAlert(metaAlert, alerts); if (metaAlertUpdated) { MetaScores .calculateMetaScores(metaAlert, config.getThreatTriageField(), config.getThreatSort()); updates.put(metaAlert, Optional.of(config.getMetaAlertIndex())); for (Document alert : alerts) { if (addMetaAlertToAlert(metaAlert.getGuid(), alert)) { updates.put(alert, Optional.empty()); } } } return updates; }
public String getSourceTypeField() { Optional<Map<String, Object>> globalConfig = Optional.ofNullable(globalConfigSupplier.get()); if(!globalConfig.isPresent()) { return getDefaultSourceTypeField(); } return ConfigurationsUtils.getFieldName(globalConfig.get(), Constants.SENSOR_TYPE_FIELD_PROPERTY, getDefaultSourceTypeField()); }
MetaAlertConstants.ALERT_FIELD); MetaScores .calculateMetaScores(metaAlert, getConfig().getThreatTriageField(), getConfig().getThreatSort()); .put(getConfig().getSourceTypeField(), MetaAlertConstants.METAALERT_TYPE); updates.put(metaAlert, Optional.of(getConfig().getMetaAlertIndex()));
MetaScores.calculateMetaScores(metaAlert, getConfig().getThreatTriageField(), getConfig().getThreatSort()); metaAlert.getDocument().put(getConfig().getSourceTypeField(), MetaAlertConstants.METAALERT_TYPE);
/** * Given a Metaalert and a status change, builds the set of updates to be run. * @param metaAlert The metaalert to have status changed * @param alerts The alerts to change status for * @param status The status to change to * @return The updates to be run */ protected Map<Document, Optional<String>> buildStatusChangeUpdates(Document metaAlert, Iterable<Document> alerts, MetaAlertStatus status) { metaAlert.getDocument().put(MetaAlertConstants.STATUS_FIELD, status.getStatusString()); Map<Document, Optional<String>> updates = new HashMap<>(); updates.put(metaAlert, Optional.of(config.getMetaAlertIndex())); for (Document alert : alerts) { boolean metaAlertAdded = false; boolean metaAlertRemoved = false; // If we're making it active add add the meta alert guid for every alert. if (MetaAlertStatus.ACTIVE.equals(status)) { metaAlertAdded = addMetaAlertToAlert(metaAlert.getGuid(), alert); } // If we're making it inactive, remove the meta alert guid from every alert. if (MetaAlertStatus.INACTIVE.equals(status)) { metaAlertRemoved = removeMetaAlertFromAlert(metaAlert.getGuid(), alert); } if (metaAlertAdded || metaAlertRemoved) { updates.put(alert, Optional.empty()); } } return updates; }
public String getThreatTriageField() { Optional<Map<String, Object>> globalConfig = Optional.ofNullable(globalConfigSupplier.get()); if(!globalConfig.isPresent()) { return getDefaultThreatTriageField(); } return ConfigurationsUtils.getFieldName(globalConfig.get(), Constants.THREAT_SCORE_FIELD_PROPERTY, getDefaultThreatTriageField()); }
@Override public SearchResponse getAllMetaAlertsForAlert(String guid) throws InvalidSearchException, IOException { if (guid == null || guid.trim().isEmpty()) { throw new InvalidSearchException("Guid cannot be empty"); } // Searches for all alerts containing the meta alert guid in it's "metalerts" array QueryBuilder qb = boolQuery() .must( nestedQuery( MetaAlertConstants.ALERT_FIELD, boolQuery() .must(termQuery(MetaAlertConstants.ALERT_FIELD + "." + GUID, guid)), ScoreMode.None ).innerHit(new InnerHitBuilder()) ) .must(termQuery(MetaAlertConstants.STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString())); return queryAllResults(elasticsearchDao.getClient().getHighLevelClient(), qb, config.getMetaAlertIndex(), pageSize); } }
.calculateMetaScores(metaAlert, config.getThreatTriageField(), config.getThreatSort()); updates.put(metaAlert, Optional.of(config.getMetaAlertIndex())); for (Document alert : alerts) { if (removeMetaAlertFromAlert(metaAlert.getGuid(), alert)) {
@Override public Document updateMetaAlertStatus(String metaAlertGuid, MetaAlertStatus status) throws IOException { Document metaAlert = retrieveLatestDao .getLatest(metaAlertGuid, MetaAlertConstants.METAALERT_TYPE); if (metaAlert == null) { throw new IOException(String.format("Unable to update meta alert status. Meta alert with guid %s cannot be found.", metaAlertGuid)); } String currentStatus = (String) metaAlert.getDocument().get(MetaAlertConstants.STATUS_FIELD); boolean metaAlertUpdated = !status.getStatusString().equals(currentStatus); if (metaAlertUpdated) { List<GetRequest> getRequests = new ArrayList<>(); @SuppressWarnings("unchecked") List<Map<String, Object>> currentAlerts = (List<Map<String, Object>>) metaAlert.getDocument() .get(MetaAlertConstants.ALERT_FIELD); currentAlerts.stream() .forEach(currentAlert -> getRequests.add(new GetRequest((String) currentAlert.get(GUID), (String) currentAlert.get(config.getSourceTypeField())))); Iterable<Document> alerts = retrieveLatestDao.getAllLatest(getRequests); Map<Document, Optional<String>> updates = buildStatusChangeUpdates(metaAlert, alerts, status); update(updates); } return metaAlert; }
/** * Given an alert GUID, retrieve all associated meta alerts. * @param alertGuid The GUID of the child alert * @return The Elasticsearch response containing the meta alerts */ protected SearchResponse getMetaAlertsForAlert(String alertGuid) throws IOException { QueryBuilder qb = boolQuery() .must( nestedQuery( MetaAlertConstants.ALERT_FIELD, boolQuery() .must(termQuery(MetaAlertConstants.ALERT_FIELD + "." + Constants.GUID, alertGuid)), ScoreMode.None ).innerHit(new InnerHitBuilder()) ) .must(termQuery(MetaAlertConstants.STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString())); return ElasticsearchUtils .queryAllResults(elasticsearchDao.getClient().getHighLevelClient(), qb, getConfig().getMetaAlertIndex(), pageSize); }
MetaAlertConstants.STATUS_FIELD + ":" + MetaAlertStatus.ACTIVE.getStatusString(); String metaalertTypeClause = config.getSourceTypeField() + ":" + MetaAlertConstants.METAALERT_TYPE; if (fieldList.contains("*") || fieldList.contains(config.getSourceTypeField())) { List<String> metaalertGuids = new ArrayList<>(); for (SearchResult result : results.getResults()) { if (result.getSource().get(config.getSourceTypeField()) .equals(MetaAlertConstants.METAALERT_TYPE)) {
String guidClause = Constants.GUID + ":" + guid; String fullClause = "{!parent which=" + activeClause + "}" + guidClause; String metaalertTypeClause = config.getSourceTypeField() + ":" + MetaAlertConstants.METAALERT_TYPE; SolrQuery solrQuery = new SolrQuery() .setQuery(fullClause)
@SuppressWarnings("unchecked") @Override public Document createMetaAlert(MetaAlertCreateRequest request) throws InvalidCreateException, IOException { List<GetRequest> alertRequests = request.getAlerts(); if (alertRequests.isEmpty()) { return null; } // Retrieve the documents going into the meta alert and build it Iterable<Document> alerts = indexDao.getAllLatest(alertRequests); Document metaAlert = buildCreateDocument(alerts, request.getGroups(), MetaAlertConstants.ALERT_FIELD); metaAlert.getDocument() .put(getConfig().getSourceTypeField(), MetaAlertConstants.METAALERT_TYPE); return metaAlert; }