use of org.apache.metron.indexing.dao.metaalert.MetaAlertCreateResponse in project metron by apache.
the class ElasticsearchMetaAlertIntegrationTest method shouldCreateMetaAlert.
@Test
public void shouldCreateMetaAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(3);
elasticsearchAdd(alerts, INDEX, SENSOR_NAME);
// Verify load was successful
findCreatedDocs(Arrays.asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), new GetRequest("message_2", SENSOR_NAME)));
{
MetaAlertCreateRequest metaAlertCreateRequest = new MetaAlertCreateRequest() {
{
setAlerts(new ArrayList<GetRequest>() {
{
add(new GetRequest("message_1", SENSOR_NAME));
add(new GetRequest("message_2", SENSOR_NAME, INDEX));
}
});
setGroups(Collections.singletonList("group"));
}
};
MetaAlertCreateResponse metaAlertCreateResponse = metaDao.createMetaAlert(metaAlertCreateRequest);
{
// Verify metaAlert was created
findCreatedDoc(metaAlertCreateResponse.getGuid(), MetaAlertDao.METAALERT_TYPE);
}
{
// Verify alert 0 was not updated with metaalert field
Document alert = metaDao.getLatest("message_0", SENSOR_NAME);
Assert.assertEquals(4, alert.getDocument().size());
Assert.assertNull(alert.getDocument().get(METAALERT_FIELD));
}
{
// Verify alert 1 was properly updated with metaalert field
Document alert = metaDao.getLatest("message_1", SENSOR_NAME);
Assert.assertEquals(5, alert.getDocument().size());
Assert.assertEquals(1, ((List) alert.getDocument().get(METAALERT_FIELD)).size());
Assert.assertEquals(metaAlertCreateResponse.getGuid(), ((List) alert.getDocument().get(METAALERT_FIELD)).get(0));
}
{
// Verify alert 2 was properly updated with metaalert field
Document alert = metaDao.getLatest("message_2", SENSOR_NAME);
Assert.assertEquals(5, alert.getDocument().size());
Assert.assertEquals(1, ((List) alert.getDocument().get(METAALERT_FIELD)).size());
Assert.assertEquals(metaAlertCreateResponse.getGuid(), ((List) alert.getDocument().get(METAALERT_FIELD)).get(0));
}
}
}
use of org.apache.metron.indexing.dao.metaalert.MetaAlertCreateResponse in project metron by apache.
the class ElasticsearchMetaAlertDao method createMetaAlert.
@Override
@SuppressWarnings("unchecked")
public MetaAlertCreateResponse createMetaAlert(MetaAlertCreateRequest request) throws InvalidCreateException, IOException {
List<GetRequest> alertRequests = request.getAlerts();
if (request.getAlerts().isEmpty()) {
throw new InvalidCreateException("MetaAlertCreateRequest must contain alerts");
}
if (request.getGroups().isEmpty()) {
throw new InvalidCreateException("MetaAlertCreateRequest must contain UI groups");
}
// Retrieve the documents going into the meta alert and build it
Iterable<Document> alerts = indexDao.getAllLatest(alertRequests);
Document metaAlert = buildCreateDocument(alerts, request.getGroups());
calculateMetaScores(metaAlert);
// Add source type to be consistent with other sources and allow filtering
metaAlert.getDocument().put(SOURCE_TYPE, MetaAlertDao.METAALERT_TYPE);
// Start a list of updates / inserts we need to run
Map<Document, Optional<String>> updates = new HashMap<>();
updates.put(metaAlert, Optional.of(MetaAlertDao.METAALERTS_INDEX));
try {
// We need to update the associated alerts with the new meta alerts, making sure existing
// links are maintained.
Map<String, Optional<String>> guidToIndices = alertRequests.stream().collect(Collectors.toMap(GetRequest::getGuid, GetRequest::getIndex));
Map<String, String> guidToSensorTypes = alertRequests.stream().collect(Collectors.toMap(GetRequest::getGuid, GetRequest::getSensorType));
for (Document alert : alerts) {
if (addMetaAlertToAlert(metaAlert.getGuid(), alert)) {
// Use the index in the request if it exists
Optional<String> index = guidToIndices.get(alert.getGuid());
if (!index.isPresent()) {
// Look up the index from Elasticsearch if one is not supplied in the request
index = elasticsearchDao.getIndexName(alert.getGuid(), guidToSensorTypes.get(alert.getGuid()));
if (!index.isPresent()) {
throw new IllegalArgumentException("Could not find index for " + alert.getGuid());
}
}
updates.put(alert, index);
}
}
// Kick off any updates.
indexDaoUpdate(updates);
MetaAlertCreateResponse createResponse = new MetaAlertCreateResponse();
createResponse.setCreated(true);
createResponse.setGuid(metaAlert.getGuid());
return createResponse;
} catch (IOException ioe) {
throw new InvalidCreateException("Unable to create meta alert", ioe);
}
}
use of org.apache.metron.indexing.dao.metaalert.MetaAlertCreateResponse in project metron by apache.
the class InMemoryMetaAlertDao method createMetaAlert.
@SuppressWarnings("unchecked")
@Override
public MetaAlertCreateResponse createMetaAlert(MetaAlertCreateRequest request) throws InvalidCreateException, IOException {
List<GetRequest> alertRequests = request.getAlerts();
if (alertRequests.isEmpty()) {
MetaAlertCreateResponse response = new MetaAlertCreateResponse();
response.setCreated(false);
return response;
}
// Build meta alert json. Give it a reasonable GUID
JSONObject metaAlert = new JSONObject();
String metaAlertGuid = "meta_" + (InMemoryDao.BACKING_STORE.get(MetaAlertDao.METAALERTS_INDEX).size() + 1);
metaAlert.put(GUID, metaAlertGuid);
JSONArray groupsArray = new JSONArray();
groupsArray.addAll(request.getGroups());
metaAlert.put(MetaAlertDao.GROUPS_FIELD, groupsArray);
// Retrieve the alert for each guid
// For the purpose of testing, we're just using guids for the alerts field and grabbing the scores.
JSONArray alertArray = new JSONArray();
List<Double> threatScores = new ArrayList<>();
Collection<String> alertGuids = new ArrayList<>();
for (GetRequest alertRequest : alertRequests) {
SearchRequest searchRequest = new SearchRequest();
searchRequest.setIndices(ImmutableList.of(alertRequest.getIndex().get()));
searchRequest.setQuery("guid:" + alertRequest.getGuid());
try {
SearchResponse searchResponse = search(searchRequest);
List<SearchResult> searchResults = searchResponse.getResults();
if (searchResults.size() > 1) {
throw new InvalidCreateException("Found more than one result for: " + alertRequest.getGuid() + ". Values: " + searchResults);
}
if (searchResults.size() == 1) {
SearchResult result = searchResults.get(0);
alertArray.add(result.getSource());
Double threatScore = Double.parseDouble(result.getSource().getOrDefault(THREAT_FIELD_DEFAULT, "0").toString());
threatScores.add(threatScore);
}
} catch (InvalidSearchException e) {
throw new InvalidCreateException("Unable to find guid: " + alertRequest.getGuid(), e);
}
alertGuids.add(alertRequest.getGuid());
}
metaAlert.put(MetaAlertDao.ALERT_FIELD, alertArray);
metaAlert.putAll(new MetaScores(threatScores).getMetaScores());
metaAlert.put(STATUS_FIELD, MetaAlertStatus.ACTIVE.getStatusString());
// Add the alert to the store, but make sure not to overwrite existing results
InMemoryDao.BACKING_STORE.get(MetaAlertDao.METAALERTS_INDEX).add(metaAlert.toJSONString());
METAALERT_STORE.put(metaAlertGuid, new HashSet<>(alertGuids));
MetaAlertCreateResponse createResponse = new MetaAlertCreateResponse();
createResponse.setGuid(metaAlertGuid);
createResponse.setCreated(true);
return createResponse;
}
Aggregations