Backlog/fix/tag rules (#2106)

* fix[frontend](rules): improved post event count validation

* fix[frontend](tag_rules): added events related fields on tag rule creation

---------

Co-authored-by: Osmany Montero <osmontero@icloud.com>

Author: AlexSanchez-bit

frontend/src/app/data-management/alert-management/shared/components/alert-rule-create/alert-rule-create.component.ts

@@ -32,7 +32,7 @@ import {
   ALERT_STATUS_LABEL_FIELD,
   ALERT_TAGS_FIELD,
   ALERT_TIMESTAMP_FIELD,
-  EVENT_IS_ALERT, FALSE_POSITIVE_OBJECT, LOG_RELATED_ID_EVENT_FIELD
+  EVENT_IS_ALERT, EVENT_TAG_RULE_FIELDS, FALSE_POSITIVE_OBJECT, LOG_RELATED_ID_EVENT_FIELD
 } from '../../../../../shared/constants/alert/alert-field.constant';
 import {AUTOMATIC_REVIEW, CLOSED} from '../../../../../shared/constants/alert/alert-status.constant';
 import {FILTER_OPERATORS} from '../../../../../shared/constants/filter-operators.const';
@@ -84,7 +84,6 @@ export class AlertRuleCreateComponent implements OnInit, OnDestroy {
     ALERT_OBSERVATION_FIELD,
     ALERT_NOTE_FIELD,
     ALERT_REFERENCE_FIELD,
-    LOG_RELATED_ID_EVENT_FIELD,
     EVENT_IS_ALERT,
     ALERT_INCIDENT_USER_FIELD,
     ALERT_INCIDENT_DATE_FIELD,
@@ -148,6 +147,8 @@ export class AlertRuleCreateComponent implements OnInit, OnDestroy {
       return acc.concat(field);
     }, []);
 
+    this.fields = [...this.fields, ...EVENT_TAG_RULE_FIELDS];
+
     this.operators = FILTER_OPERATORS.filter(value => !this.excludeOperators.includes(value.operator));
   }
 
@@ -232,6 +233,11 @@ export class AlertRuleCreateComponent implements OnInit, OnDestroy {
   }
 
   getFieldValue(field: string): any {
+    if(field.startsWith('events') && this.alert.events &&this.alert.events.length>0){
+      let fields = field.split('.')
+      fields.splice(0,1)
+      return getValueFromPropertyPath(this.alert.events[0],fields.join('.'), null);
+    }
     return getValueFromPropertyPath(this.alert, field, null);
   }
 

frontend/src/app/rule-management/app-rule/components/add-after-event/add-after-event.component.html

@@ -28,7 +28,7 @@
         Must be at least 1
       </div>
       <div class="invalid-feedback" *ngIf="form.get('count').touched && form.get('count').errors && form.get('count').errors['max']">
-        Must not be greater than 50
+        Must not be greater than 100
       </div>
     </div>
   </div>

frontend/src/app/rule-management/services/after-event-form.service.ts

@@ -36,7 +36,7 @@ export class AfterEventFormService {
           : []
       ),
       within: [event.within || ''],
-      count: [event.count ? event.count : null, [Validators.required, Validators.min(1), Validators.max(50)]],
+      count: [event.count ? event.count : null, [Validators.required, Validators.min(1), Validators.max(100)]],
     });
   }
 

frontend/src/app/shared/constants/alert/alert-field.constant.ts

@@ -120,6 +120,47 @@ export const EVENT_IS_ALERT = 'isAlert';
 
 export const FALSE_POSITIVE_OBJECT = {id: 1, tagName: 'False positive', tagColor: '#f44336', systemOwner: true};
 
+// Event-related fields exposed in tag-rule conditions.
+// These are flattened paths into the `events` array on the alert document
+// ("events" is mapped as an object array, so any condition matches when ANY
+// event satisfies it).
+export const EVENT_TAG_RULE_FIELDS: UtmFieldType[] = [
+  {label: 'Event Data Type', field: 'events.dataType', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Data Source', field: 'events.dataSource', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Action', field: 'events.action', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Action Result', field: 'events.actionResult', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Severity', field: 'events.severity', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Protocol', field: 'events.protocol', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Connection Status', field: 'events.connectionStatus', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Status Code', field: 'events.statusCode', type: ElasticDataTypesEnum.NUMBER, visible: true},
+  {label: 'Event Tenant Name', field: 'events.tenantName', type: ElasticDataTypesEnum.STRING, visible: true},
+  // Origin
+  {label: 'Event Origin IP', field: 'events.origin.ip', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin Host', field: 'events.origin.host', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin User', field: 'events.origin.user', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin Port', field: 'events.origin.port', type: ElasticDataTypesEnum.NUMBER, visible: true},
+  {label: 'Event Origin Domain', field: 'events.origin.domain', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin URL', field: 'events.origin.url', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin Country', field: 'events.origin.geolocation.country', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin Country Code', field: 'events.origin.geolocation.countryCode', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin City', field: 'events.origin.geolocation.city', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin ASN', field: 'events.origin.geolocation.asn', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Origin ASO', field: 'events.origin.geolocation.aso', type: ElasticDataTypesEnum.STRING, visible: true},
+  // Target
+  {label: 'Event Target IP', field: 'events.target.ip', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target Host', field: 'events.target.host', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target User', field: 'events.target.user', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target Port', field: 'events.target.port', type: ElasticDataTypesEnum.NUMBER, visible: true},
+  {label: 'Event Target URL', field: 'events.target.url', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target Domain', field: 'events.target.domain', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target File', field: 'events.target.file', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target Country', field: 'events.target.geolocation.country', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target Country Code', field: 'events.target.geolocation.countryCode', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target City', field: 'events.target.geolocation.city', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target ASN', field: 'events.target.geolocation.asn', type: ElasticDataTypesEnum.STRING, visible: true},
+  {label: 'Event Target ASO', field: 'events.target.geolocation.aso', type: ElasticDataTypesEnum.STRING, visible: true},
+];
+
 export const ALERT_FIELDS: UtmFieldType[] = [
   {
     label: 'Alert name',