diff --git a/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts b/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts index 19c596d7c..575884ae6 100644 --- a/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts +++ b/frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts @@ -32,7 +32,7 @@ import { ALERT_STATUS_LABEL_FIELD, ALERT_TAGS_FIELD, ALERT_TIMESTAMP_FIELD, - EVENT_IS_ALERT, FALSE_POSITIVE_OBJECT, LOG_RELATED_ID_EVENT_FIELD + EVENT_IS_ALERT, EVENT_TAG_RULE_FIELDS, FALSE_POSITIVE_OBJECT, LOG_RELATED_ID_EVENT_FIELD } from '../../../../../shared/constants/alert/alert-field.constant'; import {AUTOMATIC_REVIEW, CLOSED} from '../../../../../shared/constants/alert/alert-status.constant'; import {FILTER_OPERATORS} from '../../../../../shared/constants/filter-operators.const'; @@ -84,7 +84,6 @@ export class AlertRuleCreateComponent implements OnInit, OnDestroy { ALERT_OBSERVATION_FIELD, ALERT_NOTE_FIELD, ALERT_REFERENCE_FIELD, - LOG_RELATED_ID_EVENT_FIELD, EVENT_IS_ALERT, ALERT_INCIDENT_USER_FIELD, ALERT_INCIDENT_DATE_FIELD, @@ -148,6 +147,8 @@ export class AlertRuleCreateComponent implements OnInit, OnDestroy { return acc.concat(field); }, []); + this.fields = [...this.fields, ...EVENT_TAG_RULE_FIELDS]; + this.operators = FILTER_OPERATORS.filter(value => !this.excludeOperators.includes(value.operator)); } @@ -232,6 +233,11 @@ export class AlertRuleCreateComponent implements OnInit, OnDestroy { } getFieldValue(field: string): any { + if(field.startsWith('events') && this.alert.events &&this.alert.events.length>0){ + let fields = field.split('.') + fields.splice(0,1) + return getValueFromPropertyPath(this.alert.events[0],fields.join('.'), null); + } return getValueFromPropertyPath(this.alert, field, null); } diff --git a/frontend/src/app/rule-management/app-rule/components/add-after-event/add-after-event.component.html b/frontend/src/app/rule-management/app-rule/components/add-after-event/add-after-event.component.html index 668b76529..2c5e7eded 100644 --- a/frontend/src/app/rule-management/app-rule/components/add-after-event/add-after-event.component.html +++ b/frontend/src/app/rule-management/app-rule/components/add-after-event/add-after-event.component.html @@ -28,7 +28,7 @@ Must be at least 1
- Must not be greater than 50 + Must not be greater than 100
diff --git a/frontend/src/app/rule-management/services/after-event-form.service.ts b/frontend/src/app/rule-management/services/after-event-form.service.ts index d68edf6ec..bbc591e13 100644 --- a/frontend/src/app/rule-management/services/after-event-form.service.ts +++ b/frontend/src/app/rule-management/services/after-event-form.service.ts @@ -36,7 +36,7 @@ export class AfterEventFormService { : [] ), within: [event.within || ''], - count: [event.count ? event.count : null, [Validators.required, Validators.min(1), Validators.max(50)]], + count: [event.count ? event.count : null, [Validators.required, Validators.min(1), Validators.max(100)]], }); } diff --git a/frontend/src/app/shared/constants/alert/alert-field.constant.ts b/frontend/src/app/shared/constants/alert/alert-field.constant.ts index 21a3349e1..dd57f4cfd 100644 --- a/frontend/src/app/shared/constants/alert/alert-field.constant.ts +++ b/frontend/src/app/shared/constants/alert/alert-field.constant.ts @@ -120,6 +120,47 @@ export const EVENT_IS_ALERT = 'isAlert'; export const FALSE_POSITIVE_OBJECT = {id: 1, tagName: 'False positive', tagColor: '#f44336', systemOwner: true}; +// Event-related fields exposed in tag-rule conditions. +// These are flattened paths into the `events` array on the alert document +// ("events" is mapped as an object array, so any condition matches when ANY +// event satisfies it). +export const EVENT_TAG_RULE_FIELDS: UtmFieldType[] = [ + {label: 'Event Data Type', field: 'events.dataType', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Data Source', field: 'events.dataSource', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Action', field: 'events.action', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Action Result', field: 'events.actionResult', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Severity', field: 'events.severity', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Protocol', field: 'events.protocol', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Connection Status', field: 'events.connectionStatus', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Status Code', field: 'events.statusCode', type: ElasticDataTypesEnum.NUMBER, visible: true}, + {label: 'Event Tenant Name', field: 'events.tenantName', type: ElasticDataTypesEnum.STRING, visible: true}, + // Origin + {label: 'Event Origin IP', field: 'events.origin.ip', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin Host', field: 'events.origin.host', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin User', field: 'events.origin.user', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin Port', field: 'events.origin.port', type: ElasticDataTypesEnum.NUMBER, visible: true}, + {label: 'Event Origin Domain', field: 'events.origin.domain', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin URL', field: 'events.origin.url', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin Country', field: 'events.origin.geolocation.country', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin Country Code', field: 'events.origin.geolocation.countryCode', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin City', field: 'events.origin.geolocation.city', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin ASN', field: 'events.origin.geolocation.asn', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Origin ASO', field: 'events.origin.geolocation.aso', type: ElasticDataTypesEnum.STRING, visible: true}, + // Target + {label: 'Event Target IP', field: 'events.target.ip', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target Host', field: 'events.target.host', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target User', field: 'events.target.user', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target Port', field: 'events.target.port', type: ElasticDataTypesEnum.NUMBER, visible: true}, + {label: 'Event Target URL', field: 'events.target.url', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target Domain', field: 'events.target.domain', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target File', field: 'events.target.file', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target Country', field: 'events.target.geolocation.country', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target Country Code', field: 'events.target.geolocation.countryCode', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target City', field: 'events.target.geolocation.city', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target ASN', field: 'events.target.geolocation.asn', type: ElasticDataTypesEnum.STRING, visible: true}, + {label: 'Event Target ASO', field: 'events.target.geolocation.aso', type: ElasticDataTypesEnum.STRING, visible: true}, +]; + export const ALERT_FIELDS: UtmFieldType[] = [ { label: 'Alert name',