Adding default agent for incident rules (#397)

* Adding default_agent field to utm_alert_response_rule, to use its value as default if the alert log is not coming from an agent. Adding new logic to UtmAlertResponseRuleService to manage the default agent to execute the incident response when the alert log is not coming from an agent.

* Reformat code to implement better solution.

Author: c3s4rfred

backend/src/main/java/com/park/utmstack/domain/alert_response_rule/UtmAlertResponseRule.java

@@ -9,8 +9,10 @@
 import org.springframework.data.annotation.LastModifiedDate;
 import org.springframework.data.jpa.domain.support.AuditingEntityListener;
 import org.springframework.util.CollectionUtils;
+import org.springframework.util.StringUtils;
 
 import javax.persistence.*;
+import javax.validation.constraints.Size;
 import java.io.Serializable;
 import java.time.Instant;
 
@@ -38,6 +40,9 @@ public class UtmAlertResponseRule implements Serializable {
     private String agentPlatform;
     @Column(name = "excluded_agents")
     private String excludedAgents;
+    @Size(max = 500)
+    @Column(name = "default_agent" , length = 500)
+    private String defaultAgent;
     @CreatedBy
     @Column(name = "created_by", nullable = false, length = 50, updatable = false)
     private String createdBy;
@@ -62,6 +67,7 @@ public UtmAlertResponseRule(UtmAlertResponseRuleDTO dto) {
         this.ruleCmd = dto.getCommand();
         this.ruleActive = dto.getActive();
         this.agentPlatform = dto.getAgentPlatform();
+        this.defaultAgent = dto.getDefaultAgent();
         if (!CollectionUtils.isEmpty(dto.getExcludedAgents()))
             this.excludedAgents = String.join(",", dto.getExcludedAgents());
         else
@@ -132,6 +138,14 @@ public void setExcludedAgents(String excludedAgents) {
         this.excludedAgents = excludedAgents;
     }
 
+    public String getDefaultAgent() {
+        return defaultAgent;
+    }
+
+    public void setDefaultAgent(String defaultAgent) {
+        this.defaultAgent = defaultAgent;
+    }
+
     public String getCreatedBy() {
         return createdBy;
     }

backend/src/main/java/com/park/utmstack/service/alert_response_rule/UtmAlertResponseRuleService.java

@@ -129,48 +129,85 @@ public void evaluateRules(List<AlertType> alerts) {
                 return;
 
             List<UtmAlertResponseRule> rules = alertResponseRuleRepository.findAllByRuleActiveIsTrue();
-            if (CollectionUtils.isEmpty(rules))
-                return;
 
             // Excluding alerts tagged as false positive
             alerts = alerts.stream().filter(a -> (CollectionUtils.isEmpty(a.getTags()) || !a.getTags().contains("False positive")))
                 .collect(Collectors.toList());
 
+            // Do nothing if there is no valid alerts to check
+            if (CollectionUtils.isEmpty(alerts))
+                return;
+
             String alertJsonArray = new Gson().toJson(alerts);
             for (UtmAlertResponseRule rule : rules) {
-                List<FilterType> conditions = new ArrayList<>();
                 List<String> agentNames = networkScanRepository.findAgentNamesByPlatform(rule.getAgentPlatform());
-                if (!CollectionUtils.isEmpty(agentNames))
-                    conditions.add(new FilterType(Constants.alertDataSourceKeyword, OperatorType.IS_ONE_OF, agentNames));
 
-                if (StringUtils.hasText(rule.getRuleConditions()))
-                    conditions.addAll(new Gson().fromJson(rule.getRuleConditions(), TypeToken.getParameterized(List.class, FilterType.class).getType()));
+                if (CollectionUtils.isEmpty(agentNames))
+                    continue;
+
+                // Matching agents (these are the alerts made from logs coming from an agent)
+                //------------------------------------------------------------------------------------------
+                createResponseRuleExecution(rule,alertJsonArray,agentNames,true);
+
+                // Then the alerts that match the filters but aren't from an agent, gets executed using the default agent if there is one
+                //-----------------------------------------------------------------------------------------------------------------------
+                if (StringUtils.hasText(rule.getDefaultAgent())) {
+                    createResponseRuleExecution(rule,alertJsonArray,agentNames,false);
+                }
+            }
+        } catch (Exception e) {
+            String msg = ctx + ": " + e.getLocalizedMessage();
+            log.error(msg);
+            eventService.createEvent(msg, ApplicationEventType.ERROR);
+        }
+    }
+
+    private void createResponseRuleExecution (UtmAlertResponseRule rule, String alertJsonArray, List<String> agentNames, boolean isAgent) throws Exception {
+        final String ctx = CLASSNAME + ".createResponseRuleExecution";
+        List<FilterType> conditions = new ArrayList<>();
+        try {
+            // Common conditions
+            if (StringUtils.hasText(rule.getRuleConditions()))
+                conditions.addAll(new Gson().fromJson(rule.getRuleConditions(), TypeToken.getParameterized(List.class, FilterType.class).getType()));
 
-                if (StringUtils.hasText(rule.getExcludedAgents()))
-                    conditions.add(new FilterType(Constants.alertDataSourceKeyword, OperatorType.IS_NOT_ONE_OF, List.of(rule.getExcludedAgents().split(","))));
+            if (StringUtils.hasText(rule.getExcludedAgents()))
+                conditions.add(new FilterType(Constants.alertDataSourceKeyword, OperatorType.IS_NOT_ONE_OF, List.of(rule.getExcludedAgents().split(","))));
 
-                Filter filter = buildFilters(conditions);
-                List<?> matches = UtilJson.read("$[?]", alertJsonArray, filter);
+            // Specific condition for agent and non agents
+            if (isAgent) {
+                conditions.add(new FilterType(Constants.alertDataSourceKeyword, OperatorType.IS_ONE_OF, agentNames));
+            } else {
+                conditions.add(new FilterType(Constants.alertDataSourceKeyword, OperatorType.IS_NOT_ONE_OF, agentNames));
+            }
 
-                if (CollectionUtils.isEmpty(matches))
-                    continue;
+            // Processing the alerts and generating the rule executions
+            Filter filter = buildFilters(conditions);
+            List<?> matches = UtilJson.read("$[?]", alertJsonArray, filter);
+
+            if (!CollectionUtils.isEmpty(matches)) {
 
                 for (Object match : matches) {
                     String matchAsJson = new Gson().toJson(match);
 
                     UtmAlertResponseRuleExecution exe = new UtmAlertResponseRuleExecution();
-                    exe.setAgent(UtilJson.read("$.dataSource", matchAsJson));
+                    // Execution agent takes the rule's default agent if the alert was generated by logs from non agent datasource
+                    if (isAgent) {
+                        exe.setAgent(UtilJson.read("$.dataSource", matchAsJson));
+                    } else {
+                        exe.setAgent(rule.getDefaultAgent());
+                    }
+
                     exe.setAlertId(UtilJson.read("$.id", matchAsJson));
                     exe.setRuleId(rule.getId());
                     exe.setCommand(buildCommand(rule.getRuleCmd(), matchAsJson));
                     exe.setExecutionStatus(RuleExecutionStatus.PENDING);
                     alertResponseRuleExecutionRepository.save(exe);
                 }
             }
+
         } catch (Exception e) {
             String msg = ctx + ": " + e.getLocalizedMessage();
-            log.error(msg);
-            eventService.createEvent(msg, ApplicationEventType.ERROR);
+            throw new Exception(msg);
         }
     }
 

backend/src/main/java/com/park/utmstack/service/dto/UtmAlertResponseRuleDTO.java

@@ -31,6 +31,8 @@ public class UtmAlertResponseRuleDTO {
     private Boolean active;
     @NotBlank
     private String agentPlatform;
+    @Size(max = 500)
+    private String defaultAgent;
     private List<String> excludedAgents = new ArrayList<>();
     @JsonProperty(access = JsonProperty.Access.READ_ONLY)
     private String createdBy;
@@ -52,6 +54,7 @@ public UtmAlertResponseRuleDTO(UtmAlertResponseRule rule) {
         this.command = rule.getRuleCmd();
         this.active = rule.getRuleActive();
         this.agentPlatform = rule.getAgentPlatform();
+        this.defaultAgent = rule.getDefaultAgent();
         if (StringUtils.hasText(rule.getExcludedAgents()))
             this.excludedAgents.addAll(Arrays.asList(rule.getExcludedAgents().split(",")));
         this.createdBy = rule.getCreatedBy();
@@ -112,6 +115,14 @@ public String getAgentPlatform() {
         return agentPlatform;
     }
 
+    public String getDefaultAgent() {
+        return defaultAgent;
+    }
+
+    public void setDefaultAgent(String defaultAgent) {
+        this.defaultAgent = defaultAgent;
+    }
+
     public void setAgentPlatform(String agentPlatform) {
         this.agentPlatform = agentPlatform;
     }

backend/src/main/resources/config/liquibase/changelog/20240131001_add_default_agent_utm_alert_response_rule.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+    xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20240131001" author="Freddy">
+        <addColumn tableName="utm_alert_response_rule">
+            <column name="default_agent" type="varchar(500)">
+                <constraints nullable="true"/>
+            </column>
+        </addColumn>
+    </changeSet>
+</databaseChangeLog>

backend/src/main/resources/config/liquibase/master.xml

@@ -32,4 +32,6 @@
 
     <include file="config/liquibase/changelog/20240109001_modifying_requirement_for_configuration_parameters.xml" relativeToChangelogFile="false"/>
 
+    <include file="config/liquibase/changelog/20240131001_add_default_agent_utm_alert_response_rule.xml" relativeToChangelogFile="false"/>
+
 </databaseChangeLog>