Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Show fields for aliases when selected in correlation rule and threat intel monitor scan #1064

Merged
merged 2 commits into from
Jul 2, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
get fields for aliases in correlation rules and threat intel monitor
Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com>
amsiglan committed Jul 2, 2024
commit b464bc959fc3ad26bf8be207b8f4bf675f51b3b3
198 changes: 121 additions & 77 deletions public/pages/Correlations/containers/CreateCorrelationRule.tsx

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -57,7 +57,7 @@ export const SelectThreatIntelLogSources: React.FC<SelectThreatIntelLogSourcesPr
const getLogFields = useCallback(
async (indexName: string) => {
if (saContext && !logSourceMappingByName[indexName]) {
getFieldsForIndex(saContext.services.indexService, indexName).then((fields) => {
getFieldsForIndex(saContext.services.fieldMappingService, indexName).then((fields) => {
setLogSourceMappingByName({
...logSourceMappingByName,
[indexName]: fields,
9 changes: 9 additions & 0 deletions public/services/FieldMappingService.ts
Original file line number Diff line number Diff line change
@@ -79,4 +79,13 @@ export default class FieldMappingService {
},
})) as ServerResponse<GetMappingsResponse>;
};

getIndexAliasFields = async (indexName: string): Promise<ServerResponse<string[]>> => {
const url = `..${API.MAPPINGS_BASE}/fields/${indexName}`;
return (await this.httpClient.get(url, {
query: {
dataSourceId: dataSourceInfo.activeDataSource.id,
},
})) as ServerResponse<string[]>;
};
}
9 changes: 6 additions & 3 deletions public/utils/helpers.tsx
Original file line number Diff line number Diff line change
@@ -32,7 +32,7 @@ import {
} from '../pages/CreateDetector/components/DefineDetector/components/DetectionRules/types/interfaces';
import { RuleInfo } from '../../server/models/interfaces';
import { NotificationsStart } from 'opensearch-dashboards/public';
import { IndexService, OpenSearchService } from '../services';
import { FieldMappingService, IndexService, OpenSearchService } from '../services';
import { ruleSeverity, ruleTypes } from '../pages/Rules/utils/constants';
import _ from 'lodash';
import { AlertCondition, DateTimeFilter, Duration, LogType } from '../../types';
@@ -576,14 +576,17 @@ export function getIsNotificationPluginInstalled(): boolean {
return isNotificationPluginInstalled;
}

export async function getFieldsForIndex(indexService: IndexService, indexName: string) {
export async function getFieldsForIndex(
fieldMappingService: FieldMappingService,
indexName: string
) {
let fields: {
label: string;
value: string;
}[] = [];

if (indexName) {
const result = await indexService.getIndexFields(indexName);
const result = await fieldMappingService.getIndexAliasFields(indexName);
if (result?.ok) {
fields = result.response?.map((field) => ({
label: field,
14 changes: 14 additions & 0 deletions server/clusters/addFieldMappingMethods.ts
Original file line number Diff line number Diff line change
@@ -44,4 +44,18 @@ export function addFieldMappingMethods(securityAnalytics: any, createAction: any
needBody: false,
method: 'GET',
});

securityAnalytics[METHOD_NAMES.GET_INDEX_ALIAS_MAPPINGS] = createAction({
url: {
fmt: `/<%=indexName%>/_mapping/field/*`,
req: {
indexName: {
type: 'string',
required: true,
},
},
},
needBody: false,
method: 'GET',
});
}
12 changes: 12 additions & 0 deletions server/routes/FieldMappingRoutes.ts
Original file line number Diff line number Diff line change
@@ -47,4 +47,16 @@ export function setupFieldMappingRoutes(services: NodeServices, router: IRouter)
},
fieldMappingService.createMappings
);

router.get(
{
path: `${API.MAPPINGS_BASE}/fields/{indexName}`,
validate: {
params: schema.object({
indexName: schema.string(),
}),
},
},
fieldMappingService.getIndexAliasFields
);
}
39 changes: 39 additions & 0 deletions server/services/FieldMappingService.ts
Original file line number Diff line number Diff line change
@@ -141,4 +141,43 @@ export default class FieldMappingService extends MDSEnabledClientService {
});
}
};

getIndexAliasFields = async (
context: RequestHandlerContext,
request: OpenSearchDashboardsRequest<{ indexName: string }, {}>,
response: OpenSearchDashboardsResponseFactory
) => {
try {
const { indexName } = request.params;
const client = this.getClient(request, context);
const mappingsResponse: { [key: string]: { mappings: any } } = await client(
CLIENT_FIELD_MAPPINGS_METHODS.GET_INDEX_ALIAS_MAPPINGS,
{
indexName,
}
);

const fieldMappings = Object.values(mappingsResponse)[0]?.mappings;
const fields = Object.keys(fieldMappings || {}).filter(
(field) => Object.keys(fieldMappings[field].mapping).length > 0
);

return response.custom({
statusCode: 200,
body: {
ok: true,
response: fields,
},
});
} catch (error: any) {
console.error('Security Analytics - FieldMappingService - getIndexAliasFields:', error);
return response.custom({
statusCode: 200,
body: {
ok: false,
error: error.message,
},
});
}
};
}
4 changes: 3 additions & 1 deletion server/utils/constants.ts
Original file line number Diff line number Diff line change
@@ -79,6 +79,7 @@ export const METHOD_NAMES = {
GET_MAPPINGS_VIEW: 'getFieldMappingsView',
CREATE_MAPPINGS: 'createMappings',
GET_MAPPINGS: 'getMappings',
GET_INDEX_ALIAS_MAPPINGS: 'getIndexAliasMappings',

// Alerts methods
GET_ALERTS: 'getAlerts',
@@ -140,13 +141,14 @@ export const CLIENT_CORRELATION_METHODS = {
GET_CORRELATED_FINDINGS: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.GET_CORRELATED_FINDINGS}`,
GET_ALL_CORRELATIONS: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.GET_ALL_CORRELATIONS}`,
GET_CORRELATION_ALERTS: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.GET_CORRELATION_ALERTS}`,
ACK_CORRELATION_ALERTS: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.ACK_CORRELATION_ALERTS}`
ACK_CORRELATION_ALERTS: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.ACK_CORRELATION_ALERTS}`,
};

export const CLIENT_FIELD_MAPPINGS_METHODS = {
GET_MAPPINGS_VIEW: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.GET_MAPPINGS_VIEW}`,
CREATE_MAPPINGS: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.CREATE_MAPPINGS}`,
GET_MAPPINGS: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.GET_MAPPINGS}`,
GET_INDEX_ALIAS_MAPPINGS: `${PLUGIN_PROPERTY_NAME}.${METHOD_NAMES.GET_INDEX_ALIAS_MAPPINGS}`,
};

export const CLIENT_ALERTS_METHODS = {