Merge pull request #887 from utmstack/bugfix/v10.5.15/False-positive-alerts-displayed-in-dashboard-overview

Bugfix/v10.5.15/false positive alerts displayed in dashboard overview

Author: c3s4rfred

CHANGELOG.md

@@ -1,3 +1,3 @@
-# UTMStack 10.5.15 Release Notes
+# UTMStack 10.5.16 Release Notes
 ## Bugfix
-- Sorting not working on any column in index management view
+- False positive alerts displayed in Dashboard Overview

backend/src/main/java/com/park/utmstack/config/Constants.java

@@ -70,13 +70,16 @@ public final class Constants {
     // ----------------------------------------------------------------------------------
     public static final String alertIdKeyword = "id.keyword";
     public static final String alertStatus = "status";
+    public static final String alertTags = "tags";
     public static final String alertIsIncident = "isIncident";
     public static final String alertNameKeyword = "name.keyword";
     public static final String alertSeverityLabel = "severityLabel.keyword";
     public static final String alertCategoryKeyword = "category.keyword";
     public static final String alertDataSourceKeyword = "dataSource.keyword";
     public static final int LOG_ANALYZER_TOTAL_RESULTS = 10000;
 
+    public static final String FALSE_POSITIVE_TAG = "False positive";
+
     /**
      * Environment variables
      */

backend/src/main/java/com/park/utmstack/service/overview/OverviewService.java

@@ -23,10 +23,7 @@
 import org.springframework.stereotype.Service;
 import org.springframework.util.CollectionUtils;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.stream.Collectors;
 
 @Service
@@ -60,11 +57,8 @@ public List<CardType> countAlertsTodayAndLastWeek() throws DashboardOverviewExce
                 return result;
             }
 
-            List<FilterType> filters = new ArrayList<>();
-            filters.add(new FilterType(Constants.alertStatus, OperatorType.IS_NOT, AlertStatus.AUTOMATIC_REVIEW.getCode()));
-
             SearchRequest sr = SearchRequest.of(s -> s.index(Constants.SYS_INDEX_PATTERN.get(SystemIndexPattern.ALERTS))
-                .query(SearchUtil.toQuery(filters)).aggregations(AGG_NAME, Aggregation.of(agg -> agg
+                .query(SearchUtil.toQuery(this.getDefaultFilters(Collections.emptyList()))).aggregations(AGG_NAME, Aggregation.of(agg -> agg
                     .dateRange(dr -> dr.field(Constants.timestamp)
                         .keyed(true).timeZone("UTC")
                         .ranges(r -> r.key(TODAY_KEY).from(f -> f.expr("now/d")).to(t -> t.expr("now")))
@@ -90,11 +84,7 @@ public TableType topAlerts(String from, String to, Integer top) throws Dashboard
             if (!elasticsearchService.indexExist(Constants.SYS_INDEX_PATTERN.get(SystemIndexPattern.ALERTS)))
                 return new TableType();
 
-            List<FilterType> filters = new ArrayList<>();
-            filters.add(new FilterType(Constants.alertStatus, OperatorType.IS_NOT, AlertStatus.AUTOMATIC_REVIEW.getCode()));
-            filters.add(new FilterType(Constants.timestamp, OperatorType.IS_BETWEEN, List.of(from, to)));
-
-            SearchRequest rq = SearchRequest.of(s -> s.size(0).query(SearchUtil.toQuery(filters))
+            SearchRequest rq = SearchRequest.of(s -> s.size(0).query(SearchUtil.toQuery(this.getDefaultFilters(List.of(from, to))))
                 .index(Constants.SYS_INDEX_PATTERN.get(SystemIndexPattern.ALERTS))
                 .aggregations(AGG_NAME, agg -> agg.terms(t -> t.field(Constants.alertNameKeyword)
                     .size(top).order(List.of(Map.of("_count", SortOrder.Desc))))));
@@ -124,11 +114,7 @@ public PieType countAlertsBySeverity(String from, String to, Integer top) throws
             if (!elasticsearchService.indexExist(Constants.SYS_INDEX_PATTERN.get(SystemIndexPattern.ALERTS)))
                 return new PieType();
 
-            List<FilterType> filters = new ArrayList<>();
-            filters.add(new FilterType(Constants.alertStatus, OperatorType.IS_NOT, AlertStatus.AUTOMATIC_REVIEW.getCode()));
-            filters.add(new FilterType(Constants.timestamp, OperatorType.IS_BETWEEN, List.of(from, to)));
-
-            SearchRequest rq = SearchRequest.of(s -> s.size(0).query(SearchUtil.toQuery(filters))
+            SearchRequest rq = SearchRequest.of(s -> s.size(0).query(SearchUtil.toQuery(this.getDefaultFilters(List.of(from, to))))
                 .index(Constants.SYS_INDEX_PATTERN.get(SystemIndexPattern.ALERTS))
                 .aggregations(AGG_NAME, agg -> agg.terms(t -> t.field(Constants.alertSeverityLabel)
                     .size(top).order(List.of(Map.of("_count", SortOrder.Desc))))));
@@ -160,11 +146,7 @@ public BarType topAlertsByCategory(String from, String to, Integer top) throws D
             if (!elasticsearchService.indexExist(Constants.SYS_INDEX_PATTERN.get(SystemIndexPattern.ALERTS)))
                 return new BarType();
 
-            List<FilterType> filters = new ArrayList<>();
-            filters.add(new FilterType(Constants.alertStatus, OperatorType.IS_NOT, AlertStatus.AUTOMATIC_REVIEW.getCode()));
-            filters.add(new FilterType(Constants.timestamp, OperatorType.IS_BETWEEN, List.of(from, to)));
-
-            SearchRequest rq = SearchRequest.of(s -> s.size(0).query(SearchUtil.toQuery(filters))
+            SearchRequest rq = SearchRequest.of(s -> s.size(0).query(SearchUtil.toQuery(this.getDefaultFilters(List.of(from, to))))
                 .index(Constants.SYS_INDEX_PATTERN.get(SystemIndexPattern.ALERTS))
                 .aggregations(AGG_NAME, agg -> agg.terms(t -> t.field(Constants.alertCategoryKeyword)
                     .size(top).order(List.of(Map.of("_count", SortOrder.Desc))))));
@@ -308,4 +290,16 @@ public TableType topWindowsEvents(String from, String to, Integer top) throws Da
             throw new DashboardOverviewException(ctx + ": " + e.getMessage());
         }
     }
+
+    private List<FilterType> getDefaultFilters(List<String> dateRange){
+        List<FilterType> filters = new ArrayList<>();
+        filters.add(new FilterType(Constants.alertStatus, OperatorType.IS_NOT, AlertStatus.AUTOMATIC_REVIEW.getCode()));
+        filters.add(new FilterType(Constants.alertTags, OperatorType.IS_NOT, Constants.FALSE_POSITIVE_TAG));
+
+        if(!CollectionUtils.isEmpty(dateRange)){
+            filters.add(new FilterType(Constants.timestamp, OperatorType.IS_BETWEEN, dateRange));
+        }
+
+        return  filters;
+    }
 }

backend/src/main/java/com/park/utmstack/util/AlertUtil.java

@@ -10,6 +10,7 @@
 import org.opensearch.client.opensearch.core.SearchResponse;
 import org.springframework.stereotype.Component;
 
+import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -32,6 +33,7 @@ public Long countAlertsByStatus(int status) {
 
             List<FilterType> filters = new ArrayList<>();
             filters.add(new FilterType(Constants.alertStatus, OperatorType.IS, status));
+            filters.add(new FilterType(Constants.alertTags, OperatorType.IS_NOT, Constants.FALSE_POSITIVE_TAG));
 
             SearchRequest.Builder srb = new SearchRequest.Builder();
             srb.query(SearchUtil.toQuery(filters))

backend/src/main/java/com/park/utmstack/web/rest/overview/OverviewResource.java

@@ -66,11 +66,11 @@ public ResponseEntity<List<CardType>> countAlertsTodayAndLastWeek() {
     public ResponseEntity<List<CardType>> countAlertsByStatus(@RequestParam String from, @RequestParam String to) {
         final String ctx = CLASS_NAME + ".countAlertsByStatus";
         try {
-            FilterType timestampFilter = new FilterType(Constants.timestamp, OperatorType.IS_BETWEEN, Arrays.asList(from, to));
-            FilterType statusFilter = new FilterType(Constants.alertStatus, OperatorType.IS_NOT, 1);
             List<FilterType> filters = new ArrayList<>();
-            filters.add(timestampFilter);
-            filters.add(statusFilter);
+            filters.add(new FilterType(Constants.timestamp, OperatorType.IS_BETWEEN, Arrays.asList(from, to)));
+            filters.add(new FilterType(Constants.alertStatus, OperatorType.IS_NOT, 1));
+            filters.add(new FilterType(Constants.alertTags, OperatorType.IS_NOT, Constants.FALSE_POSITIVE_TAG));
+
             return ResponseEntity.ok(alertService.countAlertsByStatus(filters));
         } catch (Exception e) {
             String msg = ctx + ": " + e.getMessage();

version.yml

@@ -1 +1 @@
-version: 10.5.15
+version: 10.5.16