private Map<String, Object> createMetaAlert(String guid) throws Exception { // create and index 2 normal alerts List<Map<String, Object>> alerts = buildAlerts(2); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList(guid)); alerts.get(1).put(METAALERT_FIELD, Collections.singletonList(guid)); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); // create and index a meta-alert Map<String, Object> metaAlert = buildMetaAlert(guid, MetaAlertStatus.ACTIVE, Optional.of(alerts)); addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE); // ensure the test alerts were loaded findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), new GetRequest("meta_alert", METAALERT_TYPE))); return metaAlert; }
protected void findUpdatedDoc(Map<String, Object> message0, String guid, String sensorType) throws InterruptedException, IOException, OriginalNotFoundException { commit(); for (int t = 0; t < MAX_RETRIES; ++t, Thread.sleep(SLEEP_MS)) { Document doc = metaDao.getLatest(guid, sensorType); // Change the underlying document alerts lists to sets to avoid ordering issues. convertAlertsFieldToSet(doc.getDocument()); convertAlertsFieldToSet(message0); if (doc.getDocument() != null && message0.equals(doc.getDocument())) { convertAlertsFieldToList(doc.getDocument()); convertAlertsFieldToList(message0); return; } } throw new OriginalNotFoundException( "Count not find " + guid + " after " + MAX_RETRIES + " tries"); }
@Test public void shouldSortMetaAlertsByAlertStatus() throws Exception { final String guid = "meta_alert"; setupTypings(); // should be able to sort meta-alert search results by 'alert_status' SortField sortField = new SortField(); sortField.setField("alert_status"); sortField.setSortOrder("asc"); // when no meta-alerts exist, it should work Assert.assertEquals(0, searchForSortedMetaAlerts(sortField).getTotal()); // when meta-alert just created, it should work createMetaAlert(guid); Assert.assertEquals(1, searchForSortedMetaAlerts(sortField).getTotal()); // when meta-alert 'esclated', it should work escalateMetaAlert(guid); Assert.assertEquals(1, searchForSortedMetaAlerts(sortField).getTotal()); }
List<Map<String, Object>> alerts = buildAlerts(4); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_alert")); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE, Optional.of(Collections.singletonList(alerts.get(0)))); addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE); findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), expectedMetaAlert.put("count", 3); expectedMetaAlert.put("sum", 3.0d); expectedMetaAlert.put(getThreatTriageField(), 3.0d); .asList(new GetRequest("message_1", SENSOR_NAME), new GetRequest("message_2", SENSOR_NAME))); assertEquals(expectedMetaAlert, actualMetaAlert.getDocument()); findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE); .asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME))); assertEquals(expectedMetaAlert, actualMetaAlert.getDocument()); findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE); expectedMetaAlert.put("count", 4); expectedMetaAlert.put("sum", 6.0d); expectedMetaAlert.put(getThreatTriageField(), 6.0d);
@Test public void shouldCreateMetaAlert() throws Exception { List<Map<String, Object>> alerts = buildAlerts(3); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), expectedMetaAlert.put(getSourceTypeField(), METAALERT_TYPE); expectedMetaAlert.put(STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString()); expectedMetaAlert.put("count", 2); expectedMetaAlert.put("sum", 3.0d); expectedMetaAlert.put(getThreatTriageField(), 3.0d); assertEquals(expectedMetaAlert, actualMetaAlert.getDocument()); findCreatedDoc(actualMetaAlert.getGuid(), METAALERT_TYPE); expectedAlert .put(METAALERT_FIELD, Collections.singletonList(actualMetaAlert.getGuid())); findUpdatedDoc(expectedAlert, "message_1", SENSOR_NAME); expectedAlert .put(METAALERT_FIELD, Collections.singletonList(actualMetaAlert.getGuid())); findUpdatedDoc(expectedAlert, "message_2", SENSOR_NAME);
List<Map<String, Object>> alerts = buildAlerts(totalAlerts); List<Map<String, Object>> childAlerts = alerts.subList(0, numChildAlerts); List<Map<String, Object>> unrelatedAlerts = alerts.subList(numChildAlerts, totalAlerts); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE, Optional.of(childAlerts)); addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE); findCreatedDocs(requests); findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE); setEmptiedMetaAlertField(expectedAlert); findUpdatedDoc(expectedAlert, "message_" + i, SENSOR_NAME); findUpdatedDoc(expectedAlert, "message_" + (i + numChildAlerts), SENSOR_NAME); findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE); findUpdatedDoc(expectedAlert, "message_" + i, SENSOR_NAME); findUpdatedDoc(expectedAlert, "message_" + (i + numChildAlerts), SENSOR_NAME); findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
List<Map<String, Object>> alerts = buildAlerts(2); alerts.get(0).put(METAALERT_FIELD, "meta_active_0"); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); List<Map<String, Object>> metaAlerts = buildMetaAlerts(1, MetaAlertStatus.ACTIVE, Optional.of(Collections.singletonList(alerts.get(0)))); addRecords(metaAlerts, getMetaAlertIndex(), METAALERT_TYPE); new GetRequest((String) alert.get(Constants.GUID), SENSOR_NAME)) .collect(Collectors.toList())); findCreatedDocs(createdDocs); sf.setField(getThreatTriageField()); sf.setSortOrder(SortOrder.DESC.getSortOrder()); SearchRequest sr = new SearchRequest(); sr.setQuery("*:*"); sr.setSize(5); sr.setIndices(Arrays.asList(getTestIndexName(), METAALERT_TYPE)); sr.setSort(Collections.singletonList(sf)); sfAsc.setField(getThreatTriageField()); sfAsc.setSortOrder(SortOrder.ASC.getSortOrder()); SearchRequest srAsc = new SearchRequest(); srAsc.setQuery("*:*"); srAsc.setSize(2); srAsc.setIndices(Arrays.asList(getTestIndexName(), METAALERT_TYPE)); srAsc.setSort(Collections.singletonList(sfAsc)); result = metaDao.search(srAsc);
@Test public void shouldHidesAlertsOnGroup() throws Exception { List<Map<String, Object>> alerts = buildAlerts(2); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active")); alerts.get(0).put("ip_src_addr", "192.168.1.1"); alerts.get(1).put("ip_src_addr", "192.168.1.1"); alerts.get(1).put("score", 10); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); setupTypings(); findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME)));
protected List<Map<String, Object>> buildMetaAlerts(int count, MetaAlertStatus status, Optional<List<Map<String, Object>>> alerts) { List<Map<String, Object>> inputData = new ArrayList<>(); for (int i = 0; i < count; ++i) { final String guid = "meta_" + status.getStatusString() + "_" + i; inputData.add(buildMetaAlert(guid, status, alerts)); } return inputData; }
List<Map<String, Object>> alerts = buildAlerts(4); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_alert")); alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_alert")); alerts.get(2).put(METAALERT_FIELD, Collections.singletonList("meta_alert")); alerts.get(3).put(METAALERT_FIELD, Collections.singletonList("meta_alert")); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(1), alerts.get(2), alerts.get(3)))); addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE); findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), expectedMetaAlert.put("count", 2); expectedMetaAlert.put("sum", 5.0d); expectedMetaAlert.put(getThreatTriageField(), 5.0d); .asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME))); assertEquals(expectedMetaAlert, actualMetaAlert.getDocument()); findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE); .asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME))); assertEquals(expectedMetaAlert, actualMetaAlert.getDocument()); findUpdatedDoc(expectedMetaAlert, "meta_alert", METAALERT_TYPE);
@Test public void shouldPatchMetaAlertFields() throws Exception { // Load alerts List<Map<String, Object>> alerts = buildAlerts(2); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active")); alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active")); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); // Put the nested type into the test index, so that it'll match appropriately setupTypings(); // Load metaAlerts Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(1)))); // We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically. addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE); // ensure the test data was loaded findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), new GetRequest("meta_alert", METAALERT_TYPE))); // patch the name field String namePatch = namePatchRequest.replace(META_INDEX_FLAG, getMetaAlertIndex()); PatchRequest patchRequest = JSONUtils.INSTANCE.load(namePatch, PatchRequest.class); metaDao.patch(metaDao, patchRequest, Optional.of(System.currentTimeMillis())); // ensure the alert was patched assertEventually(() -> { Document updated = metaDao.getLatest("meta_alert", METAALERT_TYPE); Assert.assertEquals("New Meta Alert", updated.getDocument().get(NAME_FIELD)); }); }
@Test public void shouldThrowExceptionIfPatchStatusField() throws Exception { setupTypings(); List<Map<String, Object>> alerts = buildAlerts(2); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active")); alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active")); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(1)))); addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE); findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), String statusPatch = statusPatchRequest.replace(META_INDEX_FLAG, getMetaAlertIndex()); PatchRequest patchRequest = JSONUtils.INSTANCE.load(statusPatch, PatchRequest.class); metaDao.patch(metaDao, patchRequest, Optional.of(System.currentTimeMillis()));
@Test public void shouldThrowExceptionIfPatchAlertField() throws Exception { setupTypings(); List<Map<String, Object>> alerts = buildAlerts(2); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active")); alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active")); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(1)))); addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE); findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), String alertPatch = alertPatchRequest.replace(META_INDEX_FLAG, getMetaAlertIndex()); PatchRequest patchRequest = JSONUtils.INSTANCE.load(alertPatch, PatchRequest.class); metaDao.patch(metaDao, patchRequest, Optional.of(System.currentTimeMillis()));
@Test public void shouldGetAllMetaAlertsForAlert() throws Exception { List<Map<String, Object>> alerts = buildAlerts(3); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); List<Map<String, Object>> metaAlerts = buildMetaAlerts(12, MetaAlertStatus.ACTIVE, Optional.of(Collections.singletonList(alerts.get(0)))); metaAlerts.add(buildMetaAlert("meta_active_12", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(2))))); metaAlerts.add(buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(2))))); addRecords(metaAlerts, getMetaAlertIndex(), METAALERT_TYPE); new GetRequest((String) alert.get(Constants.GUID), SENSOR_NAME)) .collect(Collectors.toList())); findCreatedDocs(createdDocs);
@Test public void addRemoveAlertsShouldThrowExceptionForInactiveMetaAlert() throws Exception { List<Map<String, Object>> alerts = buildAlerts(2); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_alert")); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); Map<String, Object> metaAlert = buildMetaAlert("meta_alert", MetaAlertStatus.INACTIVE, Optional.of(Collections.singletonList(alerts.get(0)))); addRecords(Collections.singletonList(metaAlert), getMetaAlertIndex(), METAALERT_TYPE); findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME),
@Test public void shouldSearchByStatus() throws Exception { List<Map<String, Object>> alerts = buildAlerts(1); alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active")); alerts.get(0).put("ip_src_addr", "192.168.1.1"); Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE, Optional.of(Collections.singletonList(alerts.get(0)))); Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.empty()); addRecords(Arrays.asList(activeMetaAlert, inactiveMetaAlert), getMetaAlertIndex(), METAALERT_TYPE); findCreatedDocs(Arrays.asList( new GetRequest("meta_active", METAALERT_TYPE), new GetRequest("meta_inactive", METAALERT_TYPE)));
List<Map<String, Object>> alerts = buildAlerts(2); alerts.get(0).put(METAALERT_FIELD, Arrays.asList("meta_active", "meta_inactive")); addRecords(alerts, getTestIndexFullName(), SENSOR_NAME); Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE, Optional.of(Collections.singletonList(alerts.get(0)))); Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.of(Collections.singletonList(alerts.get(0)))); addRecords(Arrays.asList(activeMetaAlert, inactiveMetaAlert), getMetaAlertIndex(), METAALERT_TYPE); findCreatedDocs(Arrays.asList( new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), message0.getDocument().put(NEW_FIELD, expectedFieldValue); message0.getDocument().put(THREAT_FIELD_DEFAULT, 10.0d); metaDao.update(message0, Optional.of(getTestIndexFullName()));