Skip to content

Commit

Permalink
De-dupe Alerts generated by Aggregation Sigma Rules fix
Browse files Browse the repository at this point in the history 
Signed-off-by: Riya Saxena <[email protected]>
  • Loading branch information
@riysaxen-amzn
riysaxen-amzn committed Dec 17, 2024
1 parent aeda877 commit 609ab38
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 15 deletions.
6 changes: 3 additions & 3 deletions ...curityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,8 @@ private Monitor buildThreatIntelMonitor(IndexThreatIntelMonitorRequest request)
DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(
String.format("threat intel input for monitor named %s", request.getMonitor().getName()),
request.getMonitor().getIndices(),
Collections.emptyList() // no percolate queries
Collections.emptyList(), // no percolate queries
true
);
List<PerIocTypeScanInput> perIocTypeScanInputs = request.getMonitor().getPerIocTypeScanInputList().stream().map(
it -> new PerIocTypeScanInput(it.getIocType(), it.getIndexToFieldsMap())
Expand Down Expand Up @@ -241,8 +242,7 @@ private Monitor buildThreatIntelMonitor(IndexThreatIntelMonitorRequest request)
new DataSources(),
false,
null,
PLUGIN_OWNER_FIELD,
true
PLUGIN_OWNER_FIELD
);
} catch (Exception e) {
String error = "Error occurred while parsing monitor.";
Expand Down
10 changes: 5 additions & 5 deletions src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -772,7 +772,7 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List<Pair<String, Rule>
docLevelQueries.add(docLevelQuery);
}
docLevelQueries.addAll(threatIntelQueries);
DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries);
DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries, true);
docLevelMonitorInputs.add(docLevelMonitorInput);

List<DocumentLevelTrigger> triggers = new ArrayList<>();
Expand All @@ -797,7 +797,7 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List<Pair<String, Rule>
detector.getAlertsHistoryIndex(),
detector.getAlertsHistoryIndexPattern(),
DetectorMonitorConfig.getRuleIndexMappingsByType(),
true), enableDetectorWithDedicatedQueryIndices, null, PLUGIN_OWNER_FIELD, true);
true), enableDetectorWithDedicatedQueryIndices, null, PLUGIN_OWNER_FIELD);

return new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null);
}
Expand Down Expand Up @@ -877,7 +877,7 @@ private IndexMonitorRequest createDocLevelMonitorMatchAllRequest(
);
docLevelQueries.add(docLevelQuery);

DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries);
DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries, false);
docLevelMonitorInputs.add(docLevelMonitorInput);

List<DocumentLevelTrigger> triggers = new ArrayList<>();
Expand All @@ -902,7 +902,7 @@ private IndexMonitorRequest createDocLevelMonitorMatchAllRequest(
detector.getAlertsHistoryIndex(),
detector.getAlertsHistoryIndexPattern(),
DetectorMonitorConfig.getRuleIndexMappingsByType(),
true), enableDetectorWithDedicatedQueryIndices, true, PLUGIN_OWNER_FIELD, false);
true), enableDetectorWithDedicatedQueryIndices, true, PLUGIN_OWNER_FIELD);

return new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null);
}
Expand Down Expand Up @@ -1078,7 +1078,7 @@ public void onResponse(GetIndexMappingsResponse getIndexMappingsResponse) {
detector.getAlertsHistoryIndex(),
detector.getAlertsHistoryIndexPattern(),
DetectorMonitorConfig.getRuleIndexMappingsByType(),
true), false, null, PLUGIN_OWNER_FIELD, true);
true), false, null, PLUGIN_OWNER_FIELD);

listener.onResponse(new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null));
}
Expand Down
6 changes: 2 additions & 4 deletions src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,8 +97,7 @@ public void testGetAlerts_success() {
new DataSources(),
true,
null,
TransportIndexDetectorAction.PLUGIN_OWNER_FIELD,
true
TransportIndexDetectorAction.PLUGIN_OWNER_FIELD
),
new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")),
List.of("finding_id_1"),
Expand Down Expand Up @@ -134,8 +133,7 @@ public void testGetAlerts_success() {
new DataSources(),
true,
null,
TransportIndexDetectorAction.PLUGIN_OWNER_FIELD,
true
TransportIndexDetectorAction.PLUGIN_OWNER_FIELD
),
new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")),
List.of("finding_id_1"),
Expand Down
6 changes: 3 additions & 3 deletions ...ava/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ public void testThreatInputSerde() throws IOException {
bytes,
new DocLevelMonitorInput("threat intel input",
List.of("index1", "index2"),
emptyList()
emptyList(),
true
)
)
),
Expand All @@ -59,8 +60,7 @@ public void testThreatInputSerde() throws IOException {
new DataSources(),
false,
null,
"security_analytics",
true
"security_analytics"
);
BytesStreamOutput monitorOut = new BytesStreamOutput();
monitor.writeTo(monitorOut);
Expand Down

0 comments on commit 609ab38

Please sign in to comment.