Skip to content

Commit 69d7629

Browse files
osmonteroosmontero
committed
feat(plugins): add groupBy support to rules configuration and database queries
1 parent 6b1da4e commit 69d7629

File tree

1 file changed

+24
-10
lines changed

1 file changed

+24
-10
lines changed

plugins/config/main.go

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,9 @@ type Rule struct {
4040
Description string `yaml:"description"`
4141
Where string `yaml:"where"`
4242
AfterEvents []SearchRequest `yaml:"afterEvents,omitempty"`
43+
Correlation []SearchRequest `yaml:"correlation,omitempty"`
4344
DeduplicateBy []string `yaml:"deduplicateBy,omitempty"`
45+
GroupBy []string `yaml:"groupBy,omitempty"`
4446
}
4547

4648
type SearchRequest struct {
@@ -170,7 +172,7 @@ func castUint32(value interface{}) uint32 {
170172

171173
func (r *Rule) FromVar(id int64, dataTypes []string, ruleName any, confidentiality any, integrity any,
172174
availability any, category any, technique any, description any,
173-
references any, where any, adversary any, deduplicate any, after any) error {
175+
references any, where any, adversary any, deduplicateBy any, after any, groupBy any) error {
174176

175177
var referencesList []string
176178

@@ -182,16 +184,26 @@ func (r *Rule) FromVar(id int64, dataTypes []string, ruleName any, confidentiali
182184
}
183185
}
184186

185-
var deduplicateList []string
187+
var deduplicateByList []string
186188

187-
if deduplicate != nil {
188-
deduplicateStr := utils.CastString(deduplicate)
189-
err := json.Unmarshal([]byte(deduplicateStr), &deduplicateList)
189+
if deduplicateBy != nil {
190+
deduplicateStr := utils.CastString(deduplicateBy)
191+
err := json.Unmarshal([]byte(deduplicateStr), &deduplicateByList)
190192
if err != nil {
191193
return catcher.Error("failed to unmarshal deduplicate list", err, map[string]any{"process": "plugin_com.utmstack.config"})
192194
}
193195
}
194196

197+
var groupByList []string
198+
199+
if groupBy != nil {
200+
groupByStr := utils.CastString(groupBy)
201+
err := json.Unmarshal([]byte(groupByStr), &groupByList)
202+
if err != nil {
203+
return catcher.Error("failed to unmarshal groupBy list", err, map[string]any{"process": "plugin_com.utmstack.config"})
204+
}
205+
}
206+
195207
var afterObj []SearchRequest
196208

197209
if after != nil {
@@ -220,7 +232,8 @@ func (r *Rule) FromVar(id int64, dataTypes []string, ruleName any, confidentiali
220232
r.References = make([]string, len(referencesList))
221233
r.Description = utils.CastString(description)
222234
r.Adversary = utils.CastString(adversary)
223-
r.DeduplicateBy = deduplicateList
235+
r.DeduplicateBy = deduplicateByList
236+
r.GroupBy = groupByList
224237
r.AfterEvents = afterObj
225238
r.References = referencesList
226239
r.Where = utils.CastString(where)
@@ -504,7 +517,7 @@ func getAssets(db *sql.DB) ([]Asset, error) {
504517
}
505518

506519
func getRules(db *sql.DB) ([]Rule, error) {
507-
rows, err := db.Query("SELECT id,rule_name,rule_confidentiality,rule_integrity,rule_availability,rule_category,rule_technique,rule_description,rule_references_def,rule_definition_def,rule_adversary,rule_deduplicate_by_def,rule_after_events_def FROM utm_correlation_rules WHERE rule_active = true")
520+
rows, err := db.Query("SELECT id,rule_name,rule_confidentiality,rule_integrity,rule_availability,rule_category,rule_technique,rule_description,rule_references_def,rule_definition_def,rule_adversary,rule_deduplicate_by_def,rule_after_events_def,rule_group_by_def FROM utm_correlation_rules WHERE rule_active = true")
508521
if err != nil {
509522
return nil, catcher.Error("failed to get rules", err, map[string]any{"process": "plugin_com.utmstack.config"})
510523
}
@@ -526,12 +539,13 @@ func getRules(db *sql.DB) ([]Rule, error) {
526539
references any
527540
where any
528541
adversary any
529-
deduplicate any
542+
deduplicateBy any
530543
after any
544+
groupBy any
531545
)
532546

533547
err = rows.Scan(&id, &ruleName, &confidentiality, &integrity, &availability,
534-
&category, &technique, &description, &references, &where, &adversary, &deduplicate, &after)
548+
&category, &technique, &description, &references, &where, &adversary, &deduplicateBy, &after, &groupBy)
535549
if err != nil {
536550
return nil, catcher.Error("failed to scan row", err, map[string]any{"process": "plugin_com.utmstack.config"})
537551
}
@@ -543,7 +557,7 @@ func getRules(db *sql.DB) ([]Rule, error) {
543557
continue
544558
}
545559

546-
if err := rule.FromVar(id, dataTypes, ruleName, confidentiality, integrity, availability, category, technique, description, references, where, adversary, deduplicate, after); err != nil {
560+
if err := rule.FromVar(id, dataTypes, ruleName, confidentiality, integrity, availability, category, technique, description, references, where, adversary, deduplicateBy, after, groupBy); err != nil {
547561
continue
548562
}
549563

0 commit comments

Comments
 (0)