/** * Builds the updates to be run based on a given metaalert and a set of new alerts for the it. * @param metaAlert The base metaalert we're building updates for * @param alerts The alerts being added * @return The set of resulting updates. */ protected Map<Document, Optional<String>> buildAddAlertToMetaAlertUpdates(Document metaAlert, Iterable<Document> alerts) { Map<Document, Optional<String>> updates = new HashMap<>(); boolean metaAlertUpdated = addAlertsToMetaAlert(metaAlert, alerts); if (metaAlertUpdated) { MetaScores .calculateMetaScores(metaAlert, config.getThreatTriageField(), config.getThreatSort()); updates.put(metaAlert, Optional.of(config.getMetaAlertIndex())); for (Document alert : alerts) { if (addMetaAlertToAlert(metaAlert.getGuid(), alert)) { updates.put(alert, Optional.empty()); } } } return updates; }
updates.put(metaAlert, Optional.of(config.getMetaAlertIndex())); for (Document alert : alerts) { if (removeMetaAlertFromAlert(metaAlert.getGuid(), alert)) {
/** * Given a Metaalert and a status change, builds the set of updates to be run. * @param metaAlert The metaalert to have status changed * @param alerts The alerts to change status for * @param status The status to change to * @return The updates to be run */ protected Map<Document, Optional<String>> buildStatusChangeUpdates(Document metaAlert, Iterable<Document> alerts, MetaAlertStatus status) { metaAlert.getDocument().put(MetaAlertConstants.STATUS_FIELD, status.getStatusString()); Map<Document, Optional<String>> updates = new HashMap<>(); updates.put(metaAlert, Optional.of(config.getMetaAlertIndex())); for (Document alert : alerts) { boolean metaAlertAdded = false; boolean metaAlertRemoved = false; // If we're making it active add add the meta alert guid for every alert. if (MetaAlertStatus.ACTIVE.equals(status)) { metaAlertAdded = addMetaAlertToAlert(metaAlert.getGuid(), alert); } // If we're making it inactive, remove the meta alert guid from every alert. if (MetaAlertStatus.INACTIVE.equals(status)) { metaAlertRemoved = removeMetaAlertFromAlert(metaAlert.getGuid(), alert); } if (metaAlertAdded || metaAlertRemoved) { updates.put(alert, Optional.empty()); } } return updates; }
updates.put(metaAlert, Optional.of(getConfig().getMetaAlertIndex()));
@Override public SearchResponse getAllMetaAlertsForAlert(String guid) throws InvalidSearchException, IOException { if (guid == null || guid.trim().isEmpty()) { throw new InvalidSearchException("Guid cannot be empty"); } // Searches for all alerts containing the meta alert guid in it's "metalerts" array QueryBuilder qb = boolQuery() .must( nestedQuery( MetaAlertConstants.ALERT_FIELD, boolQuery() .must(termQuery(MetaAlertConstants.ALERT_FIELD + "." + GUID, guid)), ScoreMode.None ).innerHit(new InnerHitBuilder()) ) .must(termQuery(MetaAlertConstants.STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString())); return queryAllResults(elasticsearchDao.getClient().getHighLevelClient(), qb, config.getMetaAlertIndex(), pageSize); } }
/** * Given an alert GUID, retrieve all associated meta alerts. * @param alertGuid The GUID of the child alert * @return The Elasticsearch response containing the meta alerts */ protected SearchResponse getMetaAlertsForAlert(String alertGuid) throws IOException { QueryBuilder qb = boolQuery() .must( nestedQuery( MetaAlertConstants.ALERT_FIELD, boolQuery() .must(termQuery(MetaAlertConstants.ALERT_FIELD + "." + Constants.GUID, alertGuid)), ScoreMode.None ).innerHit(new InnerHitBuilder()) ) .must(termQuery(MetaAlertConstants.STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString())); return ElasticsearchUtils .queryAllResults(elasticsearchDao.getClient().getHighLevelClient(), qb, getConfig().getMetaAlertIndex(), pageSize); }