-
Notifications
You must be signed in to change notification settings - Fork 75
Expand file tree
/
Copy pathcorrelation_rule.go
More file actions
176 lines (139 loc) · 6.04 KB
/
Copy pathcorrelation_rule.go
File metadata and controls
176 lines (139 loc) · 6.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
package dto
import (
"encoding/json"
"fmt"
"time"
)
type DataTypeRef struct {
ID *int64 `json:"id"`
DataType string `json:"dataType"`
DataTypeName string `json:"dataTypeName"`
DataTypeDescription string `json:"dataTypeDescription"`
Included bool `json:"included"`
}
type RuleDataTypeResponse struct {
ID int64 `json:"id"`
DataType string `json:"dataType"`
DataTypeName string `json:"dataTypeName"`
DataTypeDescription string `json:"dataTypeDescription"`
LastUpdate *time.Time `json:"lastUpdate"`
Included bool `json:"included"`
SystemOwner bool `json:"systemOwner"`
}
type CorrelationOwner struct{
//[deprecated] only kept for compatibility
AfterEventsDef json.RawMessage `json:"afterEvents"`
//
CorrelationDef json.RawMessage `json:"correlation"`
}
func (self *CorrelationOwner) GetCorrelationDef() (json.RawMessage,error){
var correlate json.RawMessage
if self.AfterEventsDef!=nil && self.CorrelationDef !=nil{
return nil,fmt.Errorf("only one afterEvents or correlation allowed")
}else if self.AfterEventsDef!=nil {
correlate = self.AfterEventsDef
}else{
correlate= self.CorrelationDef
}
return correlate,nil
}
type CreateCorrelationRuleRequest struct {
CorrelationOwner
// JSON tags match Java UtmCorrelationRulesDTO field names for wire compatibility.
RuleName string `json:"name"`
RuleAdversary string `json:"adversary"`
RuleConfidentiality int `json:"confidentiality"`
RuleIntegrity int `json:"integrity"`
RuleAvailability int `json:"availability"`
RuleCategory string `json:"category"`
RuleTechnique string `json:"technique"`
RuleDescription string `json:"description"`
RuleReferencesDef json.RawMessage `json:"references"`
RuleDefinitionDef json.RawMessage `json:"definition"`
RuleGroupByDef json.RawMessage `json:"groupBy"`
DeduplicateByDef json.RawMessage `json:"deduplicateBy"`
RuleActive bool `json:"ruleActive"`
DataTypes []DataTypeRef `json:"dataTypes"`
}
type UpdateCorrelationRuleRequest struct {
CorrelationOwner
// RelPath identifies the rule to update (the YAML-direct identity).
RelPath string `json:"relPath"`
RuleName string `json:"name"`
RuleAdversary string `json:"adversary"`
RuleConfidentiality int `json:"confidentiality"`
RuleIntegrity int `json:"integrity"`
RuleAvailability int `json:"availability"`
RuleCategory string `json:"category"`
RuleTechnique string `json:"technique"`
RuleDescription string `json:"description"`
RuleReferencesDef json.RawMessage `json:"references"`
RuleDefinitionDef json.RawMessage `json:"definition"`
RuleGroupByDef json.RawMessage `json:"groupBy"`
DeduplicateByDef json.RawMessage `json:"deduplicateBy"`
RuleActive bool `json:"ruleActive"`
DataTypes []DataTypeRef `json:"dataTypes"`
}
type CorrelationRuleResponse struct {
// RelPath is the rule identity (replaces the legacy numeric id).
RelPath string `json:"relPath"`
RuleName string `json:"name"`
RuleAdversary string `json:"adversary"`
RuleConfidentiality int `json:"confidentiality"`
RuleIntegrity int `json:"integrity"`
RuleAvailability int `json:"availability"`
RuleCategory string `json:"category"`
RuleTechnique string `json:"technique"`
RuleDescription string `json:"description"`
RuleReferencesDef json.RawMessage `json:"references"`
RuleDefinitionDef json.RawMessage `json:"definition"`
CorrelationDef json.RawMessage `json:"correlation"`
RuleGroupByDef json.RawMessage `json:"groupBy"`
DeduplicateByDef json.RawMessage `json:"deduplicateBy"`
RuleLastUpdate *time.Time `json:"ruleLastUpdate"`
RuleActive bool `json:"ruleActive"`
SystemOwner bool `json:"systemOwner"`
DataTypes []RuleDataTypeResponse `json:"dataTypes"`
}
type CorrelationRuleFilters struct {
// Page is 0-based (matches Java Spring Pageable).
Page int `form:"page"`
Size int `form:"size"`
RuleName string `form:"ruleName"` // case-insensitive partial
RuleActive *bool `form:"ruleActive"` // optional boolean
RuleCategory []string `form:"ruleCategory"` // in
RuleAdversary []string `form:"ruleAdversary"` // origin|target
RuleTechnique []string `form:"ruleTechnique"` // in
RuleConfidentiality []int `form:"ruleConfidentiality"` // 0-3
RuleIntegrity []int `form:"ruleIntegrity"` // 0-3
RuleAvailability []int `form:"ruleAvailability"` // 0-3
SystemOwner *bool `form:"systemOwner"` // optional boolean
DataTypes []string `form:"dataTypes"` // in
InitDate string `form:"initDate"` // ISO-8601, inclusive
EndDate string `form:"endDate"`
Search string `form:"search"` // general text against the name
}
// ── Bulk YAML import ──────────────────────────────────────────────────────
// ImportRuleFile is one uploaded rule YAML file (raw text + its filename).
type ImportRuleFile struct {
Filename string `json:"filename"`
Content string `json:"content"`
}
// ImportCorrelationRulesRequest carries one or more rule YAML files to import.
type ImportCorrelationRulesRequest struct {
Files []ImportRuleFile `json:"files" binding:"required,min=1"`
}
// ImportRuleResult is the per-file verdict returned by the import endpoint.
type ImportRuleResult struct {
Filename string `json:"filename"`
Approved bool `json:"approved"`
Name string `json:"name,omitempty"` // rule name when parsed
RelPath string `json:"relPath,omitempty"` // created identity when approved
Error string `json:"error,omitempty"` // reason when rejected
}
// ImportCorrelationRulesResponse reports which files were approved vs rejected.
type ImportCorrelationRulesResponse struct {
Results []ImportRuleResult `json:"results"`
Approved int `json:"approved"`
Rejected int `json:"rejected"`
}