Merge pull request #1486 from utmstack/backlog/adversary-view-with-hierarchical-graph-adversary-alert-echoes

Backlog/adversary view with hierarchical graph adversary alert echoes

Author: mjabascal10

backend/src/main/java/com/park/utmstack/config/Constants.java

@@ -140,6 +140,7 @@ public final class Constants {
     // ----------------------------------------------------------------------------------
     public static final String STATISTICS_INDEX_PATTERN = "v11-statistics-*";
     public static final String V11_API_ACCESS_LOGS = "v11-api-access-logs-*";
+    public static final String V11_ALERTS_INDEX_PATTERN = "v11-alert-*";
 
     // Logging
     public static final String TRACE_ID_KEY = "traceId";

backend/src/main/java/com/park/utmstack/service/dto/threat_management/Adversary.java

@@ -0,0 +1,13 @@
+package com.park.utmstack.service.dto.threat_management;
+
+import com.park.utmstack.domain.shared_types.alert.Side;
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@AllArgsConstructor
+@NoArgsConstructor
+public class Adversary {
+    Side adversary;
+}

backend/src/main/java/com/park/utmstack/service/dto/threat_management/AdversaryAlertsResponseDto.java

@@ -0,0 +1,23 @@
+package com.park.utmstack.service.dto.threat_management;
+
+import com.park.utmstack.domain.shared_types.alert.Side;
+import com.park.utmstack.domain.shared_types.alert.UtmAlert;
+import lombok.Data;
+import lombok.Builder;
+import java.util.List;
+
+@Data
+@Builder
+public class AdversaryAlertsResponseDto {
+
+    private Side adversary;
+    private List<AlertWithChildren> alerts;
+
+    @Data
+    @Builder
+    public static class AlertWithChildren {
+        private UtmAlert alert;
+        private List<UtmAlert> children;
+    }
+}
+

backend/src/main/java/com/park/utmstack/service/threat_management/AdversaryAlertsService.java

@@ -0,0 +1,128 @@
+package com.park.utmstack.service.threat_management;
+
+
+import com.park.utmstack.domain.chart_builder.types.query.FilterType;
+import com.park.utmstack.domain.shared_types.alert.Side;
+import com.park.utmstack.domain.shared_types.alert.UtmAlert;
+import com.park.utmstack.service.dto.threat_management.Adversary;
+import com.park.utmstack.service.dto.threat_management.AdversaryAlertsResponseDto;
+import com.park.utmstack.service.elasticsearch.ElasticsearchService;
+import com.park.utmstack.service.elasticsearch.SearchUtil;
+import lombok.RequiredArgsConstructor;
+import org.opensearch.client.json.JsonData;
+import org.opensearch.client.opensearch._types.SortOrder;
+import org.opensearch.client.opensearch.core.SearchRequest;
+import org.opensearch.client.opensearch.core.SearchResponse;
+import org.springframework.stereotype.Service;
+
+import java.util.*;
+import java.util.stream.Collectors;
+
+import static com.park.utmstack.config.Constants.V11_ALERTS_INDEX_PATTERN;
+
+@Service
+@RequiredArgsConstructor
+public class AdversaryAlertsService {
+
+    private final ElasticsearchService elasticsearchService;
+
+    public List<AdversaryAlertsResponseDto> fetchAdversaryAlerts(List<FilterType> filters){
+        SearchRequest request = SearchRequest.of(s -> s
+                .index(V11_ALERTS_INDEX_PATTERN)
+                .query(SearchUtil.toQuery(filters))
+                .size(0)
+                .aggregations("adversary", a -> a
+                        .terms(t -> t.field("adversary.host.keyword").size(100))
+                        .aggregations("adversary_obj", ag -> ag
+                                .topHits(th -> th
+                                        .size(1)
+                                        .sort(srt -> srt.field(f -> f.field("@timestamp")
+                                                .order(SortOrder.Desc)))
+                                        .source(src -> src.filter(f -> f.includes(List.of("adversary"))))
+                                )
+                        )
+                        .aggregations("alerts", ag -> ag
+                                .filter(flt -> flt
+                                        .bool(b -> b
+                                                .mustNot(mn -> mn.exists(e -> e.field("parentId")))
+                                        )
+                                )
+                                .aggregations("alerts_hits", subAg -> subAg
+                                        .topHits(th -> th
+                                                .size(100)
+                                                .sort(srt -> srt.field(f -> f.field("@timestamp")
+                                                        .order(SortOrder.Desc)))
+                                        )
+                                )
+                        )
+
+                        .aggregations("child_alerts", ag -> ag
+                                .terms(t -> t.field("parentId.keyword").size(50))
+                                .aggregations("child_hits", ch -> ch
+                                        .topHits(th -> th
+                                                .size(50)
+                                                .sort(srt -> srt.field(f -> f.field("@timestamp")
+                                                        .order(SortOrder.Desc)))
+                                        )
+                                )
+                        )
+                )
+        );
+
+        SearchResponse<JsonData> response = elasticsearchService.search(request, JsonData.class);
+
+        List<AdversaryAlertsResponseDto> groups = new ArrayList<>();
+
+        var adversaryBuckets = response.aggregations()
+                .get("adversary")
+                .sterms()
+                .buckets()
+                .array();
+
+        for (var bucket : adversaryBuckets) {
+            var adversaryHit = bucket.aggregations().get("adversary_obj").topHits().hits().hits().get(0);
+
+            if (adversaryHit.source() != null) {
+                Adversary adversaryWrapper = adversaryHit.source().to(Adversary.class);
+                Side adversary = adversaryWrapper.getAdversary();
+
+                var topHitsAgg = bucket.aggregations().get("alerts").filter().aggregations()
+                        .get("alerts_hits").topHits();
+                List<UtmAlert> alerts = topHitsAgg.hits().hits().stream()
+                        .filter(hit -> hit.source() != null)
+                        .map(hit -> hit.source().to(UtmAlert.class))
+                        .filter(alert -> Objects.isNull(alert.getParentId()))
+                        .toList();
+
+                Map<String, List<UtmAlert>> childMap = new HashMap<>();
+                var childAgg = bucket.aggregations().get("child_alerts").sterms();
+
+                for (var cb : childAgg.buckets().array()) {
+                    var childHits = cb.aggregations().get("child_hits").topHits();
+                    List<UtmAlert> children = childHits.hits().hits().stream()
+                            .filter(hit -> hit.source() != null)
+                            .map(hit -> hit.source().to(UtmAlert.class))
+                            .toList();
+                    childMap.put(cb.key(), children);
+                }
+
+                List<AdversaryAlertsResponseDto.AlertWithChildren> alertsWithChildren = alerts.stream()
+                        .map(alert -> AdversaryAlertsResponseDto.AlertWithChildren.builder()
+                                .alert(alert)
+                                .children(childMap.getOrDefault(alert.getId(), Collections.emptyList()))
+                                .build())
+                        .collect(Collectors.toList());
+
+                groups.add(AdversaryAlertsResponseDto.builder()
+                        .adversary(adversary)
+                        .alerts(alertsWithChildren)
+                        .build());
+            }
+        }
+
+        return groups;
+    }
+
+
+}
+

backend/src/main/java/com/park/utmstack/web/rest/threat_management/AdversaryAlertsResource.java

@@ -0,0 +1,34 @@
+package com.park.utmstack.web.rest.threat_management;
+
+import com.park.utmstack.domain.chart_builder.types.query.FilterType;
+import com.park.utmstack.service.dto.threat_management.AdversaryAlertsResponseDto;
+import com.park.utmstack.service.threat_management.AdversaryAlertsService;
+import io.swagger.v3.oas.annotations.Hidden;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.Collections;
+import java.util.List;
+
+@RestController
+@RequiredArgsConstructor
+@Slf4j
+@Hidden
+@RequestMapping("api/adversary")
+public class AdversaryAlertsResource {
+
+    private final AdversaryAlertsService adversaryAlertsService;
+
+    @PostMapping("/alerts")
+    public ResponseEntity<List<AdversaryAlertsResponseDto>> search(@RequestBody(required = false) List<FilterType> filters) {
+            List<AdversaryAlertsResponseDto> responseDto = adversaryAlertsService.fetchAdversaryAlerts(filters);
+
+            if (responseDto.isEmpty())
+                return ResponseEntity.status(HttpStatus.NO_CONTENT).body(Collections.emptyList());
+
+            return ResponseEntity.ok().body(responseDto);
+    }
+}

backend/src/main/resources/config/liquibase/changelog/20251118001_add_adversary_view_menu.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
+
+    <changeSet id="20251118001" author="Manuel">
+        <insert tableName="utm_menu">
+            <column name="id" value="316"/>
+            <column name="name" value="Adversary View"/>
+            <column name="url" value="/data/adversary/view"/>
+            <column name="parent_id" value="300"/>
+            <column name="type" value="1"/>
+            <column name="dashboard_id" valueNumeric="NULL"/>
+            <column name="position" value="3"/>
+            <column name="menu_active" valueBoolean="true"/>
+            <column name="menu_action" valueBoolean="true"/>
+            <column name="menu_icon" value="NULL"/>
+            <column name="module_name_short" value="NULL"/>
+        </insert>
+        <insert tableName="utm_menu_authority">
+            <column name="menu_id" value="316"/>
+            <column name="authority_name" value="ROLE_ADMIN"/>
+        </insert>
+        <insert tableName="utm_menu_authority">
+            <column name="menu_id" value="316"/>
+            <column name="authority_name" value="ROLE_USER"/>
+        </insert>
+    </changeSet>
+
+
+</databaseChangeLog>

backend/src/main/resources/config/liquibase/master.xml

@@ -275,5 +275,7 @@
 
     <include file="/config/liquibase/changelog/20251201002_update_filter_google.xml" relativeToChangelogFile="false"/>
 
+    <include file="/config/liquibase/changelog/20251118001_add_adversary_view_menu.xml" relativeToChangelogFile="false"/>
+
 
 </databaseChangeLog>

frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.html

@@ -0,0 +1,11 @@
+<div class="d-flex flex-column h-100 m-h-0 overflow-auto">
+  <div class="flex-grow-1 h-100">
+    <div echarts
+         [options]="option"
+         (chartInit)="onChartInit($event)"
+         class="sankey-chart"
+         [ngStyle]="{ height: chartHeight + 'px' }">
+    </div>
+  </div>
+</div>
+

frontend/src/app/data-management/adversary-management/adversary-alerts-graph/adversary-alerts-graph.component.scss

@@ -0,0 +1,12 @@
+:host {
+  display: flex;
+  flex-direction: column;
+  flex: 1 1 auto;
+  min-height: 0;
+  height: 100%;
+}
+
+.sankey-chart {
+  min-height: 1200px;
+  height: auto;
+}