added filters support in threat detection APIs

akto-api-security · Jan 10, 2025 · 50650dc · 50650dc
1 parent 3be068a
commit 50650dc
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 3 deletions.
diff --git a/...etection-backend/src/main/java/com/akto/threat/backend/service/MaliciousEventService.java b/...etection-backend/src/main/java/com/akto/threat/backend/service/MaliciousEventService.java
@@ -10,14 +10,14 @@
 import com.akto.proto.generated.threat_detection.service.dashboard_service.v1.FetchAlertFiltersResponse;
 import com.akto.proto.generated.threat_detection.service.dashboard_service.v1.ListMaliciousRequestsRequest;
 import com.akto.proto.generated.threat_detection.service.dashboard_service.v1.ListMaliciousRequestsResponse;
+import com.akto.proto.generated.threat_detection.service.dashboard_service.v1.TimeRangeFilter;
 import com.akto.proto.generated.threat_detection.service.malicious_alert_service.v1.RecordMaliciousEventRequest;
 import com.akto.threat.backend.client.IPLookupClient;
 import com.akto.threat.backend.constants.KafkaTopic;
 import com.akto.threat.backend.constants.MongoDBCollection;
 import com.akto.threat.backend.db.AggregateSampleMaliciousEventModel;
 import com.akto.threat.backend.db.MaliciousEventModel;
 import com.akto.threat.backend.utils.KafkaUtils;
-import com.mongodb.BasicDBObject;
 import com.mongodb.client.DistinctIterable;
 import com.mongodb.client.MongoClient;
 import com.mongodb.client.MongoCollection;
@@ -28,6 +28,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import org.bson.Document;
 import org.bson.conversions.Bson;
 
 public class MaliciousEventService {
@@ -135,18 +136,39 @@ public ListMaliciousRequestsResponse listMaliciousRequests(
     int limit = request.getLimit();
     int skip = request.hasSkip() ? request.getSkip() : 0;
     Map<String, Integer> sort = request.getSortMap();
+    ListMaliciousRequestsRequest.Filter filter = request.getFilter();
 
     MongoCollection<MaliciousEventModel> coll =
         this.mongoClient
             .getDatabase(accountId)
             .getCollection(
                 MongoDBCollection.ThreatDetection.MALICIOUS_EVENTS, MaliciousEventModel.class);
 
-    BasicDBObject query = new BasicDBObject();
+    Document query = new Document();
+    if (!filter.getActorsList().isEmpty()) {
+      query.append("actor", new Document("$in", filter.getActorsList()));
+    }
+
+    if (!filter.getUrlsList().isEmpty()) {
+      query.append("latestApiEndpoint", new Document("$in", filter.getUrlsList()));
+    }
+
+    if (!filter.getIpsList().isEmpty()) {
+      query.append("latestApiIp", new Document("$in", filter.getIpsList()));
+    }
+
+    if (filter.hasDetectedAtTimeRange()) {
+      TimeRangeFilter timeRange = filter.getDetectedAtTimeRange();
+      long start = timeRange.hasStart() ? timeRange.getStart() : 0;
+      long end = timeRange.hasEnd() ? timeRange.getEnd() : Long.MAX_VALUE;
+
+      query.append("detectedAt", new Document("$gte", start).append("$lte", end));
+    }
+
     long total = coll.countDocuments(query);
     try (MongoCursor<MaliciousEventModel> cursor =
         coll.find(query)
-            .sort(new BasicDBObject("detectedAt", sort.getOrDefault("detectedAt", -1)))
+            .sort(new Document("detectedAt", sort.getOrDefault("detectedAt", -1)))
             .skip(skip)
             .limit(limit)
             .cursor()) {

diff --git a/...t-detection-backend/src/main/java/com/akto/threat/backend/service/ThreatActorService.java b/...t-detection-backend/src/main/java/com/akto/threat/backend/service/ThreatActorService.java
@@ -31,7 +31,30 @@ public ListThreatActorResponse listThreatActors(
             .getDatabase(accountId)
             .getCollection(MongoDBCollection.ThreatDetection.MALICIOUS_EVENTS, Document.class);
 
+    ListThreatActorsRequest.Filter filter = request.getFilter();
+
     List<Document> base = new ArrayList<>();
+
+    Document match = new Document();
+
+    if (!filter.getActorsList().isEmpty()) {
+      match.append("actor", new Document("$in", filter.getActorsList()));
+    }
+
+    if (!filter.getLatestIpsList().isEmpty()) {
+      match.append("latestApiIp", new Document("$in", filter.getLatestIpsList()));
+    }
+
+    if (filter.hasDetectedAtTimeRange()) {
+      long start = filter.getDetectedAtTimeRange().getStart();
+      long end = filter.getDetectedAtTimeRange().getEnd();
+      match.append("detectedAt", new Document("$gte", start).append("$lte", end));
+    }
+
+    if (!match.isEmpty()) {
+      base.add(new Document("$match", match));
+    }
+
     base.add(new Document("$sort", new Document("detectedAt", -1)));
     base.add(
         new Document(

diff --git a/...eat-detection-backend/src/main/java/com/akto/threat/backend/service/ThreatApiService.java b/...eat-detection-backend/src/main/java/com/akto/threat/backend/service/ThreatApiService.java
@@ -31,6 +31,27 @@ public ListThreatApiResponse listThreatApis(String accountId, ListThreatApiReque
             .getCollection(MongoDBCollection.ThreatDetection.MALICIOUS_EVENTS, Document.class);
 
     List<Document> base = new ArrayList<>();
+    ListThreatApiRequest.Filter filter = request.getFilter();
+
+    Document match = new Document();
+    if (!filter.getMethodsList().isEmpty()) {
+      match.append("latestApiMethod", new Document("$in", filter.getMethodsList()));
+    }
+
+    if (!filter.getUrlsList().isEmpty()) {
+      match.append("latestApiEndpoint", new Document("$in", filter.getUrlsList()));
+    }
+
+    if (filter.hasDetectedAtTimeRange()) {
+      long start = filter.getDetectedAtTimeRange().getStart();
+      long end = filter.getDetectedAtTimeRange().getEnd();
+      match.append("detectedAt", new Document("$gte", start).append("$lte", end));
+    }
+
+    if (!match.isEmpty()) {
+      base.add(new Document("$match", match));
+    }
+
     base.add(new Document("$sort", new Document("detectedAt", -1))); // sort
     base.add(
         new Document(

diff --git a/protobuf/threat_detection/service/dashboard_service/v1/service.proto b/protobuf/threat_detection/service/dashboard_service/v1/service.proto
@@ -28,11 +28,24 @@ message ListMaliciousRequestsResponse {
     uint64 total = 2;
 }
 
+message TimeRangeFilter {
+  optional uint64 start = 1;
+  optional uint64 end = 2;
+}
+
 message ListMaliciousRequestsRequest {
+    message Filter {
+      repeated string actors = 1;
+      repeated string urls = 2;
+      repeated string ips = 3;
+      optional TimeRangeFilter detected_at_time_range = 4;
+    }
+
     // The number of alerts to return
     optional uint32 skip = 1;
     uint32 limit = 2;
     map<string, int32> sort = 3;
+    Filter filter = 4;
 }
 
 message FetchAlertFiltersRequest {}
@@ -43,9 +56,16 @@ message FetchAlertFiltersResponse {
 }
 
 message ListThreatActorsRequest {
+  message Filter {
+    repeated string actors = 1;
+    repeated string latest_ips = 2;
+    optional TimeRangeFilter detected_at_time_range = 3;
+  }
+
   optional uint32 skip = 1;
   uint32 limit = 2;
   map<string, int32> sort = 3;
+  Filter filter = 4;
 }
 
 message ListThreatActorResponse {
@@ -62,9 +82,16 @@ message ListThreatActorResponse {
 }
 
 message ListThreatApiRequest {
+  message Filter {
+    repeated string urls = 1;
+    repeated string methods = 2;
+    optional TimeRangeFilter detected_at_time_range = 3;
+  }
+
   optional uint32 skip = 1;
   uint32 limit = 2;
   map<string, int32> sort = 3;
+  Filter filter = 4;
 }
 
 message ListThreatApiResponse {