correlation rule search, delete and edit api (#476)

Signed-off-by: Subhobrata Dey <[email protected]>
opensearch-project · Jul 11, 2023 · 61715cd · 61715cd
1 parent d0d3ee7
commit 61715cd
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 2 deletions.
diff --git a/...ain/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java b/...ain/java/org/opensearch/securityanalytics/resthandler/RestIndexCorrelationRuleAction.java
@@ -42,15 +42,19 @@ public String getName() {
  @Override
  public List<Route> routes() {
  return List.of(
- new Route(RestRequest.Method.POST, SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI)
+ new Route(RestRequest.Method.POST, SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI),
+ new Route(RestRequest.Method.PUT, String.format(Locale.getDefault(),
+ "%s/{%s}",
+ SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI,
+ "correlation_rule_id"))
  );
  }
 
  @Override
  protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
  log.debug(String.format(Locale.ROOT, "%s %s", request.method(), SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI));
 
- String id = request.param("rule_id", CorrelationRule.NO_ID);
+ String id = request.param("correlation_rule_id", CorrelationRule.NO_ID);
 
  XContentParser xcp = request.contentParser();
 

diff --git a/...java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java b/...java/org/opensearch/securityanalytics/transport/TransportDeleteCorrelationRuleAction.java
@@ -56,6 +56,7 @@ protected void doExecute(Task task, DeleteCorrelationRuleRequest request, Action
  new DeleteByQueryRequestBuilder(client, DeleteByQueryAction.INSTANCE)
  .source(CorrelationRule.CORRELATION_RULE_INDEX)
  .filter(QueryBuilders.matchQuery("_id", correlationRuleId))
+ .refresh(true)
  .execute(new ActionListener<>() {
  @Override
  public void onResponse(BulkByScrollResponse response) {

diff --git a/...est/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRuleRestApiIT.java b/...est/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRuleRestApiIT.java
@@ -4,6 +4,8 @@
  */
 package org.opensearch.securityanalytics.correlation;
 
+import org.apache.hc.core5.http.io.entity.StringEntity;
+import org.apache.hc.core5.http.message.BasicHeader;
 import org.junit.Assert;
 import org.opensearch.client.Response;
 import org.opensearch.client.ResponseException;
@@ -13,6 +15,7 @@
 
 import java.io.IOException;
 import java.util.Collections;
+import java.util.Map;
 
 import static org.opensearch.securityanalytics.TestHelpers.randomCorrelationRule;
 
@@ -33,4 +36,81 @@ public void testCreateCorrelationRuleWithInvalidName() {
  String actualMessage = exception.getMessage();
  Assert.assertTrue(actualMessage.contains(expectedMessage));
  }
+
+ @SuppressWarnings("unchecked")
+ public void testUpdateCorrelationRule() throws IOException {
+ CorrelationRule rule = randomCorrelationRule("custom-rule");
+ Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule));
+ Assert.assertEquals(201, response.getStatusLine().getStatusCode());
+ Map<String, Object> responseMap = responseAsMap(response);
+ Assert.assertEquals("custom-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));
+
+ String id = responseMap.get("_id").toString();
+
+ rule = randomCorrelationRule("custom-updated-rule");
+ response = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/" + id, Collections.emptyMap(), toHttpEntity(rule));
+ Assert.assertEquals(200, response.getStatusLine().getStatusCode());
+ responseMap = responseAsMap(response);
+ Assert.assertEquals("custom-updated-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));
+ }
+
+ @SuppressWarnings("unchecked")
+ public void testDeleteCorrelationRule() throws IOException {
+ CorrelationRule rule = randomCorrelationRule("custom-rule");
+ Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule));
+ Assert.assertEquals(201, response.getStatusLine().getStatusCode());
+ Map<String, Object> responseMap = responseAsMap(response);
+ Assert.assertEquals("custom-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));
+ String id = responseMap.get("_id").toString();
+
+ String request = "{\n" +
+ " \"query\" : {\n" +
+ " \"match_all\":{\n" +
+ " }\n" +
+ " }\n" +
+ "}";
+ response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json"));
+ responseMap = responseAsMap(response);
+ Assert.assertEquals(1, Integer.parseInt(((Map<String, Object>) ((Map<String, Object>) responseMap.get("hits")).get("total")).get("value").toString()));
+
+ response = makeRequest(client(), "DELETE", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/" + id, Collections.emptyMap(), null);
+ Assert.assertEquals(200, response.getStatusLine().getStatusCode());
+
+ request = "{\n" +
+ " \"query\" : {\n" +
+ " \"match_all\":{\n" +
+ " }\n" +
+ " }\n" +
+ "}";
+ response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json"));
+ responseMap = responseAsMap(response);
+ Assert.assertEquals(0, Integer.parseInt(((Map<String, Object>) ((Map<String, Object>) responseMap.get("hits")).get("total")).get("value").toString()));
+ }
+
+ @SuppressWarnings("unchecked")
+ public void testSearchCorrelationRule() throws IOException {
+ CorrelationRule rule = randomCorrelationRule("custom-rule");
+ Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule));
+ Assert.assertEquals(201, response.getStatusLine().getStatusCode());
+ Map<String, Object> responseMap = responseAsMap(response);
+ Assert.assertEquals("custom-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));
+
+ String request = "{\n" +
+ " \"query\": {\n" +
+ " \"nested\": {\n" +
+ " \"path\": \"correlate\",\n" +
+ " \"query\": {\n" +
+ " \"bool\": {\n" +
+ " \"must\": [\n" +
+ " { \"match\": {\"correlate.category\": \"network\"}}\n" +
+ " ]\n" +
+ " }\n" +
+ " }\n" +
+ " }\n" +
+ " }\n" +
+ "}";
+ response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json"));
+ responseMap = responseAsMap(response);
+ Assert.assertEquals(1, Integer.parseInt(((Map<String, Object>) ((Map<String, Object>) responseMap.get("hits")).get("total")).get("value").toString()));
+ }
 }