|
19 | 19 |
|
20 | 20 | import java.io.IOException; |
21 | 21 | import java.util.List; |
| 22 | +import java.util.Locale; |
22 | 23 | import java.util.Map; |
23 | 24 |
|
24 | 25 | /** |
@@ -102,6 +103,67 @@ public void testCreatingACorrelationRuleWithNoTimestampField() throws IOExceptio |
102 | 103 | ); |
103 | 104 | } |
104 | 105 |
|
| 106 | + @SuppressWarnings("unchecked") |
| 107 | + public void testCorrelationWithSingleRule() throws IOException { |
| 108 | + String windowsIndex = "windows"; |
| 109 | + Request request = new Request("PUT", "/" + windowsIndex); |
| 110 | + request.setJsonEntity(windowsMappings()); |
| 111 | + client().performRequest(request); |
| 112 | + |
| 113 | + String appLogsIndex = "app_logs"; |
| 114 | + request = new Request("PUT", "/" + appLogsIndex); |
| 115 | + request.setJsonEntity(appLogMappings()); |
| 116 | + client().performRequest(request); |
| 117 | + |
| 118 | + String correlationRule = windowsToAppLogsCorrelationRule(); |
| 119 | + request = new Request("POST", "/_correlation/rules"); |
| 120 | + request.setJsonEntity(correlationRule); |
| 121 | + client().performRequest(request); |
| 122 | + |
| 123 | + request = new Request("POST", String.format(Locale.ROOT, "/%s/_doc?refresh", windowsIndex)); |
| 124 | + request.setJsonEntity(sampleWindowsEvent()); |
| 125 | + client().performRequest(request); |
| 126 | + |
| 127 | + request = new Request("POST", String.format(Locale.ROOT, "/%s/_doc?refresh", appLogsIndex)); |
| 128 | + request.setJsonEntity(sampleAppLogsEvent()); |
| 129 | + Response response = client().performRequest(request); |
| 130 | + String appLogsId = responseAsMap(response).get("_id").toString(); |
| 131 | + |
| 132 | + request = new Request("POST", "/_correlation/events"); |
| 133 | + request.setJsonEntity(prepareCorrelateEventRequest(appLogsIndex, appLogsId)); |
| 134 | + response = client().performRequest(request); |
| 135 | + Map<String, Object> responseAsMap = responseAsMap(response); |
| 136 | + Assert.assertEquals(1, ((Map<String, Object>) responseAsMap.get("neighbor_events")).size()); |
| 137 | + } |
| 138 | + |
| 139 | + private String prepareCorrelateEventRequest(String index, String event) { |
| 140 | + return "{\n" + " \"index\": \"" + index + "\",\n" + " \"event\": \"" + event + "\",\n" + " \"store\": false\n" + "}"; |
| 141 | + } |
| 142 | + |
| 143 | + private String windowsToAppLogsCorrelationRule() { |
| 144 | + return "{\n" |
| 145 | + + " \"name\": \"windows to app logs\",\n" |
| 146 | + + " \"correlate\": [\n" |
| 147 | + + " {\n" |
| 148 | + + " \"index\": \"windows\",\n" |
| 149 | + + " \"query\": \"host.hostname:EC2AMAZ*\",\n" |
| 150 | + + " \"timestampField\": \"winlog.timestamp\",\n" |
| 151 | + + " \"tags\": [\n" |
| 152 | + + " \"windows\"\n" |
| 153 | + + " ]\n" |
| 154 | + + " },\n" |
| 155 | + + " {\n" |
| 156 | + + " \"index\": \"app_logs\",\n" |
| 157 | + + " \"query\": \"endpoint:\\\\/customer_records.txt\",\n" |
| 158 | + + " \"timestampField\": \"timestamp\",\n" |
| 159 | + + " \"tags\": [\n" |
| 160 | + + " \"others_application\"\n" |
| 161 | + + " ]\n" |
| 162 | + + " }\n" |
| 163 | + + " ]\n" |
| 164 | + + "}"; |
| 165 | + } |
| 166 | + |
105 | 167 | private String sampleCorrelationRule() { |
106 | 168 | return "{\n" |
107 | 169 | + " \"name\": \"s3 to app logs\",\n" |
@@ -151,4 +213,115 @@ private String sampleCorrelationRuleWithNoTimestamp() { |
151 | 213 | private String matchIdQuery(String id) { |
152 | 214 | return "{\n" + " \"query\" : {\n" + " \"match\":{\n" + " \"_id\": \"" + id + "\"\n" + " }\n" + " }\n" + "}"; |
153 | 215 | } |
| 216 | + |
| 217 | + private String windowsMappings() { |
| 218 | + return "{" |
| 219 | + + " \"settings\": {" |
| 220 | + + " \"number_of_shards\": 1" |
| 221 | + + " }," |
| 222 | + + " \"mappings\": {" |
| 223 | + + " \"properties\": {\n" |
| 224 | + + " \"server.user.hash\": {\n" |
| 225 | + + " \"type\": \"text\"\n" |
| 226 | + + " },\n" |
| 227 | + + " \"winlog.event_id\": {\n" |
| 228 | + + " \"type\": \"integer\"\n" |
| 229 | + + " },\n" |
| 230 | + + " \"host.hostname\": {\n" |
| 231 | + + " \"type\": \"text\"\n" |
| 232 | + + " },\n" |
| 233 | + + " \"windows.message\": {\n" |
| 234 | + + " \"type\": \"text\"\n" |
| 235 | + + " },\n" |
| 236 | + + " \"winlog.provider_name\": {\n" |
| 237 | + + " \"type\": \"text\"\n" |
| 238 | + + " },\n" |
| 239 | + + " \"winlog.event_data.ServiceName\": {\n" |
| 240 | + + " \"type\": \"text\"\n" |
| 241 | + + " },\n" |
| 242 | + + " \"winlog.timestamp\": {\n" |
| 243 | + + " \"type\": \"long\"\n" |
| 244 | + + " }\n" |
| 245 | + + " }\n" |
| 246 | + + " }\n" |
| 247 | + + "}"; |
| 248 | + } |
| 249 | + |
| 250 | + private String appLogMappings() { |
| 251 | + return "{" |
| 252 | + + " \"settings\": {" |
| 253 | + + " \"number_of_shards\": 1" |
| 254 | + + " }," |
| 255 | + + " \"mappings\": {" |
| 256 | + + " \"properties\": {\n" |
| 257 | + + " \"http_method\": {\n" |
| 258 | + + " \"type\": \"text\"\n" |
| 259 | + + " },\n" |
| 260 | + + " \"endpoint\": {\n" |
| 261 | + + " \"type\": \"text\",\n" |
| 262 | + + " \"analyzer\": \"whitespace\"" |
| 263 | + + " },\n" |
| 264 | + + " \"keywords\": {\n" |
| 265 | + + " \"type\": \"text\"\n" |
| 266 | + + " },\n" |
| 267 | + + " \"timestamp\": {\n" |
| 268 | + + " \"type\": \"long\"\n" |
| 269 | + + " }\n" |
| 270 | + + " }\n" |
| 271 | + + " }\n" |
| 272 | + + "}"; |
| 273 | + } |
| 274 | + |
| 275 | + private String sampleWindowsEvent() { |
| 276 | + return "{\n" |
| 277 | + + " \"EventTime\": \"2020-02-04T14:59:39.343541+00:00\",\n" |
| 278 | + + " \"host.hostname\": \"EC2AMAZEPO7HKA\",\n" |
| 279 | + + " \"Keywords\": \"9223372036854775808\",\n" |
| 280 | + + " \"SeverityValue\": 2,\n" |
| 281 | + + " \"Severity\": \"INFO\",\n" |
| 282 | + + " \"winlog.event_id\": 22,\n" |
| 283 | + + " \"SourceName\": \"Microsoft-Windows-Sysmon\",\n" |
| 284 | + + " \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\n" |
| 285 | + + " \"Version\": 5,\n" |
| 286 | + + " \"TaskValue\": 22,\n" |
| 287 | + + " \"OpcodeValue\": 0,\n" |
| 288 | + + " \"RecordNumber\": 9532,\n" |
| 289 | + + " \"ExecutionProcessID\": 1996,\n" |
| 290 | + + " \"ExecutionThreadID\": 2616,\n" |
| 291 | + + " \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n" |
| 292 | + + " \"winlog.event_data.SubjectDomainName\": \"NTAUTHORITY\",\n" |
| 293 | + + " \"AccountName\": \"SYSTEM\",\n" |
| 294 | + + " \"UserID\": \"S-1-5-18\",\n" |
| 295 | + + " \"AccountType\": \"User\",\n" |
| 296 | + + " \"windows.message\": \"Dns query:\\r\\nRuleName: \\r\\nUtcTime: 2020-02-04 14:59:38.349\\r\\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\\r\\nProcessId: 1904\\r\\nQueryName: EC2AMAZ-EPO7HKA\\r\\nQueryStatus: 0\\r\\nQueryResults: 172.31.46.38;\\r\\nImage: C:\\\\Program Files\\\\nxlog\\\\nxlog.exe\",\n" |
| 297 | + + " \"Category\": \"Dns query (rule: DnsQuery)\",\n" |
| 298 | + + " \"Opcode\": \"Info\",\n" |
| 299 | + + " \"UtcTime\": \"2020-02-04 14:59:38.349\",\n" |
| 300 | + + " \"ProcessGuid\": \"{b3c285a4-3cda-5dc0-0000-001077270b00}\",\n" |
| 301 | + + " \"ProcessId\": \"1904\",\n" |
| 302 | + + " \"QueryName\": \"EC2AMAZ-EPO7HKA\",\n" |
| 303 | + + " \"QueryStatus\": \"0\",\n" |
| 304 | + + " \"QueryResults\": \"172.31.46.38;\",\n" |
| 305 | + + " \"Image\": \"C:\\\\Program Files\\\\nxlog\\\\regsvr32.exe\",\n" |
| 306 | + + " \"EventReceivedTime\": \"2020-02-04T14:59:40.780905+00:00\",\n" |
| 307 | + + " \"SourceModuleName\": \"in\",\n" |
| 308 | + + " \"SourceModuleType\": \"im_msvistalog\",\n" |
| 309 | + + " \"CommandLine\": \"eachtest\",\n" |
| 310 | + + " \"Initiated\": \"true\",\n" |
| 311 | + + " \"winlog.timestamp\": " |
| 312 | + + System.currentTimeMillis() |
| 313 | + + "\n" |
| 314 | + + "}"; |
| 315 | + } |
| 316 | + |
| 317 | + private String sampleAppLogsEvent() { |
| 318 | + return "{\n" |
| 319 | + + " \"endpoint\": \"/customer_records.txt\",\n" |
| 320 | + + " \"http_method\": \"POST\",\n" |
| 321 | + + " \"keywords\": \"PermissionDenied\",\n" |
| 322 | + + " \"timestamp\": " |
| 323 | + + System.currentTimeMillis() |
| 324 | + + "\n" |
| 325 | + + "}"; |
| 326 | + } |
154 | 327 | } |
0 commit comments