Alerts in Correlations Part 2

[riysaxen-amzn]

Description

• This PR contains the APIs for alerts in Correlations:
  1). New acknowledge Correlation Alerts API
  new API signature POST /_plugins/_security_analytics/_acknowledge/correlationAlerts

  Req body: {"alerts":["4dc7f5a9-2c82-4786-81ca-433a209d5205"]}

  • The API functionality will be to update the state of correlation alert to ACKNOWLEDGED/ERROR in .opensearch-sap-correlations-alerts index depending on the success and fail of this API and update the acknowledged_time field.

GetAcknowledgeAlertsResponse API response

GetAcknowledgeAlertsResponse API response
Field | Type | Description
-- | -- | --
acknowledged | List<CorrelationAlert> | List of acknowledged correlation alerts
failed | List<CorrelationAlert> | List of failed correlation alerts

2). New API: To get/retrieve list of correlation alerts:

GET /_plugins/_security_analytics/<b>correlationAlerts

Field | Data Type | Description
-- | -- | --
severityLevel | String | Severity level of the alert
alertState | String | State of the alert
sortString | String | String used for sorting the results
sortOrder | String | Order in which the results are sorted
size | Integer | Maximum number of results recieved in the response
startIndex | Integer | The pagination indicator
searchString | String | String used for searching
correlation_rule_id | String | filter by correlation Rule

Issues Resolved

Issue

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[riysaxen-amzn]

plz add serde tests for request, response classes

will add all the tests in a seperate PR

[eirsep]

why is there not an API for list correlation alerts for all rules and only per rule id?

[eirsep]

shouldnt this be a list of rule ids?

[eirsep]

why is name required?

[riysaxen-amzn]

right now, name is not needed because we are not using it to filter the correlation Alerts but at some point we can have a requirement to filter correlations by name, because correlation Ids will always be unique but name can be same. User can create a different correlationRules with same names, there's no correlation rule name validation

[riysaxen-amzn]

why is there not an API for list correlation alerts for all rules and only per rule id?

yeah so the API will give all the alerts if ruleId is not passed

[eirsep]

revert

[eirsep]

ƒew comments but LGTM from a quick scan. unit and integ tests pending

[eirsep]

revert

[eirsep]

isblank?

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security-analytics/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security-analytics/backport-2.x
# Create a new branch
git switch --create backport-1062-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a74f509ccbac51531b77c371550b81fcd867931a
# Push it to GitHub
git push --set-upstream origin backport-1062-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security-analytics/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport-1062-to-2.x.

[riysaxen-amzn]

will address the remaining comments for this PR, in the follow up PR