Skip to content

Commit

Permalink
added correlationAlert integ tests
Browse files Browse the repository at this point in the history 
Signed-off-by: Riya Saxena <[email protected]>
  • Loading branch information
@riysaxen-amzn
riysaxen-amzn committed Jun 27, 2024
1 parent 362f0d6 commit 2a5cd34
Show file tree
Hide file tree
Showing 7 changed files with 781 additions and 326 deletions.
350 changes: 335 additions & 15 deletions src/test/java/org/opensearch/securityanalytics/SecurityAnalyticsRestTestCase.java
View file

Large diffs are not rendered by default.

21 changes: 13 additions & 8 deletions src/test/java/org/opensearch/securityanalytics/TestHelpers.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
package org.opensearch.securityanalytics;

import com.carrotsearch.randomizedtesting.generators.RandomNumbers;
import kotlin.collections.EmptyList;
import org.apache.lucene.tests.util.LuceneTestCase;
import org.opensearch.core.common.bytes.BytesReference;
import org.opensearch.common.xcontent.LoggingDeprecationHandler;
Expand All @@ -21,14 +22,7 @@
import org.opensearch.commons.authuser.User;
import org.opensearch.script.Script;
import org.opensearch.script.ScriptType;
import org.opensearch.securityanalytics.model.CorrelationQuery;
import org.opensearch.securityanalytics.model.CorrelationRule;
import org.opensearch.securityanalytics.model.CustomLogType;
import org.opensearch.securityanalytics.model.Detector;
import org.opensearch.securityanalytics.model.DetectorInput;
import org.opensearch.securityanalytics.model.DetectorRule;
import org.opensearch.securityanalytics.model.DetectorTrigger;
import org.opensearch.securityanalytics.model.ThreatIntelFeedData;
import org.opensearch.securityanalytics.model.*;
import org.opensearch.test.OpenSearchTestCase;
import org.opensearch.test.rest.OpenSearchRestTestCase;

Expand Down Expand Up @@ -230,6 +224,17 @@ public static CorrelationRule randomCorrelationRule(String name) {
), 300000L, null);
}

public static CorrelationRule randomCorrelationRuleWithTrigger(String name) {
name = name.isEmpty()? "><script>prompt(document.domain)</script>": name;
List<Action> actions = new ArrayList<Action>();
CorrelationRuleTrigger trigger = new CorrelationRuleTrigger("trigger-123", "Trigger 1", "high", actions);
return new CorrelationRule(CorrelationRule.NO_ID, CorrelationRule.NO_VERSION, name,
List.of(
new CorrelationQuery("vpc_flow1", "dstaddr:192.168.1.*", "network", null),
new CorrelationQuery("ad_logs1", "azure.platformlogs.result_type:50126", "ad_ldap", null)
), 300000L, trigger);
}

public static String randomRule() {
return "title: Remote Encrypting File System Abuse\n" +
"id: 5f92fff9-82e2-48eb-8fc1-8b133556a551\n" +
Expand Down
303 changes: 0 additions & 303 deletions src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java
View file

Large diffs are not rendered by default.

40 changes: 40 additions & 0 deletions ...est/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRuleRestApiIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,11 @@

import java.io.IOException;
import java.util.Collections;
import java.util.List;
import java.util.Map;

import static org.opensearch.securityanalytics.TestHelpers.randomCorrelationRule;
import static org.opensearch.securityanalytics.TestHelpers.randomCorrelationRuleWithTrigger;

public class CorrelationEngineRuleRestApiIT extends SecurityAnalyticsRestTestCase {

Expand Down Expand Up @@ -113,4 +115,42 @@ public void testSearchCorrelationRule() throws IOException {
responseMap = responseAsMap(response);
Assert.assertEquals(1, Integer.parseInt(((Map<String, Object>) ((Map<String, Object>) responseMap.get("hits")).get("total")).get("value").toString()));
}

public void testSearchCorrelationRuleWithTrigger() throws IOException {
CorrelationRule rule = randomCorrelationRuleWithTrigger("custom-rule");
Response response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI, Collections.emptyMap(), toHttpEntity(rule));
Assert.assertEquals(201, response.getStatusLine().getStatusCode());
Map<String, Object> responseMap = responseAsMap(response);
Assert.assertEquals("custom-rule", ((Map<String, Object>) responseMap.get("rule")).get("name"));

String request = "{\n" +
" \"query\": {\n" +
" \"nested\": {\n" +
" \"path\": \"correlate\",\n" +
" \"query\": {\n" +
" \"bool\": {\n" +
" \"must\": [\n" +
" { \"match\": {\"correlate.category\": \"network\"}}\n" +
" ]\n" +
" }\n" +
" }\n" +
" }\n" +
" }\n" +
"}";
response = makeRequest(client(), "POST", SecurityAnalyticsPlugin.CORRELATION_RULES_BASE_URI + "/_search", Collections.emptyMap(), new StringEntity(request), new BasicHeader("Content-type", "application/json"));
responseMap = responseAsMap(response);
// Assuming the hits contain the matched documents
Map<String, Object> hits = (Map<String, Object>) responseMap.get("hits");
Assert.assertNotNull(hits);

List<Map<String, Object>> hitsList = (List<Map<String, Object>>) hits.get("hits");
Assert.assertEquals(1, hitsList.size()); // Assuming you expect exactly one hit

Map<String, Object> hit = hitsList.get(0);
Map<String, Object> source = (Map<String, Object>) hit.get("_source");
Assert.assertNotNull(source);

Object trigger = source.get("trigger");
Assert.assertNotNull(trigger);
}
}
75 changes: 75 additions & 0 deletions ...ava/org/opensearch/securityanalytics/correlation/alerts/CorrelationAlertServiceTests.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
package org.opensearch.securityanalytics.correlation.alerts;

import org.opensearch.client.Client;
import org.opensearch.commons.alerting.model.Alert;
import org.opensearch.commons.alerting.model.CorrelationAlert;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.securityanalytics.correlation.alert.CorrelationAlertService;
import org.opensearch.securityanalytics.correlation.alert.CorrelationAlertsList;
import org.opensearch.test.OpenSearchTestCase;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.UUID;

import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.spy;

public class CorrelationAlertServiceTests extends OpenSearchTestCase {

public void testGetActiveAlerts() {
// Mock setup
Client client = mock(Client.class);
NamedXContentRegistry xContentRegistry = mock(NamedXContentRegistry.class);
CorrelationAlertService alertsService = spy(new CorrelationAlertService(client, xContentRegistry));


// Fake data
String ruleId = "correlation_rule_id_123";
long currentTime = System.currentTimeMillis();

// Define a fake correlation alert
CorrelationAlert correlationAlert = new CorrelationAlert(
Collections.emptyList(),
ruleId,
"mock-rule",
UUID.randomUUID().toString(),
1L,
1,
null,
"mock-trigger",
Alert.State.ACTIVE,
Instant.ofEpochMilli(currentTime).minusMillis(1000L),
Instant.ofEpochMilli(currentTime).plusMillis(1000L),
null,
null,
"high",
new ArrayList<>()
);

List<CorrelationAlert> correlationAlerts = Collections.singletonList(correlationAlert);

// Call getActiveAlerts
alertsService.getActiveAlerts(ruleId, currentTime, new ActionListener<CorrelationAlertsList>() {
@Override
public void onResponse(CorrelationAlertsList correlationAlertsList) {
// Assertion
assertEquals(correlationAlerts.size(), correlationAlertsList.getCorrelationAlertList().size());

// Additional assertions can be added here to verify specific fields or states
CorrelationAlert returnedAlert = correlationAlertsList.getCorrelationAlertList().get(0);
assertEquals(correlationAlert.getId(), returnedAlert.getId());
assertEquals(correlationAlert.getCorrelationRuleId(), returnedAlert.getCorrelationRuleId());
assertEquals(correlationAlert.getStartTime(), returnedAlert.getStartTime());
assertEquals(correlationAlert.getEndTime(), returnedAlert.getEndTime());
}

@Override
public void onFailure(Exception e) {

}
});
}
}
Loading

0 comments on commit 2a5cd34

Please sign in to comment.