add field based rules support in correlation engine#737
add field based rules support in correlation engine#737eirsep merged 2 commits intoopensearch-project:mainfrom
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #737 +/- ##
============================================
- Coverage 24.73% 24.62% -0.12%
+ Complexity 1021 1018 -3
============================================
Files 275 275
Lines 12662 12711 +49
Branches 1389 1399 +10
============================================
- Hits 3132 3130 -2
- Misses 9264 9314 +50
- Partials 266 267 +1 ☔ View full report in Codecov by Sentry. |
| if (enableAutoCorrelations) { | ||
| generateAutoCorrelations(detector, finding); | ||
| } else { | ||
| onAutoCorrelations(detector, finding, Map.of()); |
There was a problem hiding this comment.
this method seems to be search on correlation index
if auto-correlation is disabled why are we invoking this method?
There was a problem hiding this comment.
this is the callback when auto correlations complete. so, if auto-correlations are disabled, we directly call the callback without generating auto correlations.
15d461a to
5d5d6dd
Compare
| for (CorrelationRule rule: filteredCorrelationRules) { | ||
| List<CorrelationQuery> queries = rule.getCorrelationQueries(); | ||
| Map<String, Long> categoryToTimeWindowMap = new HashMap<>(); | ||
| for (Triple<CorrelationRule, SearchHit[], String> rule: filteredCorrelationRules) { |
There was a problem hiding this comment.
nit: why are we not creating pojos. we have increased from list to triple?
| ); | ||
|
|
||
| public static final Setting<Boolean> ENABLE_AUTO_CORRELATIONS = Setting.boolSetting( | ||
| "plugins.security_analytics.enable_auto_correlations", |
There was a problem hiding this comment.
rename this to plugins.security_analytics.auto_correlations_enabled
|
|
||
| public static final Setting<Boolean> ENABLE_AUTO_CORRELATIONS = Setting.boolSetting( | ||
| "plugins.security_analytics.enable_auto_correlations", | ||
| false, |
There was a problem hiding this comment.
why is auto correlations disabled by default?
There was a problem hiding this comment.
auto correlations are disabled because they may generate too many irrelevant correlations. we're trying to further filter down auto correlations so that meaningful results are shown.
| "level: high"; | ||
| } | ||
|
|
||
| public static String randomRuleForCorrelations(String value) { |
There was a problem hiding this comment.
nit: rename to randomCloudtrailRuleForCorrelations
| } | ||
| } | ||
|
|
||
| public void testBasicCorrelationEngineWorkflowWithFieldBasedRulesOnMultipleLogTypes() throws IOException, InterruptedException { |
There was a problem hiding this comment.
do we support correlation for custom log types?
if yes, can we add a tests for correlation on (custom log types + log types)
There was a problem hiding this comment.
added an integ test for it.
| Map<String, Object> responseMap = entityAsMap(response); | ||
| List<Object> results = (List<Object>) responseMap.get("findings"); | ||
| if (results.size() == 1) { | ||
| Assert.assertTrue(true); |
There was a problem hiding this comment.
why are we not validating field values like finding id or field name etc.
There was a problem hiding this comment.
we do not need to in this test as only 1 result is expected. 0 correlations mean error.
|
Plz elaborate PR description for better understanding of the feature.. typically a github issue with the elaborate description tagged with PR is best practice and good for understanding and tracking Describe settings introduced and description of setting Add javadocs for settings and critical sections of code |
| getFindingsBody = entityAsMap(getFindingsResponse); | ||
| Assert.assertEquals(1, getFindingsBody.get("total_findings")); | ||
| } | ||
| @Ignore |
There was a problem hiding this comment.
why did we uncomment
is this test flakiness fixed?
There was a problem hiding this comment.
| import java.util.function.Predicate; | ||
| import java.util.stream.Collectors; | ||
|
|
||
|
|
There was a problem hiding this comment.
why is JoinEngine not a "component" injected from createComponents() in Plugin definition? We shouldn't have to parse a setting in transport action and pass it to correlation engine
There was a problem hiding this comment.
JoinEngine needs an instance of TransportCorrelateFindingAction. hence, it cannot be part of createComponents().
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
|
|
||
| import kotlin.Pair; | ||
| import org.apache.commons.lang3.tuple.Pair; | ||
| import org.apache.commons.lang3.tuple.Triple; |
| } | ||
| } | ||
| }, | ||
| "fields": { |
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.11-with-features 2.11-with-features
# Navigate to the new working tree
cd .worktrees/backport-2.11-with-features
# Create a new branch
git switch --create backport/backport-737-to-2.11-with-features
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 01facfc90ad56f9c7d0a63025c980297b5d352dd
# Push it to GitHub
git push --set-upstream origin backport/backport-737-to-2.11-with-features
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.11-with-featuresThen, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-737-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 01facfc90ad56f9c7d0a63025c980297b5d352dd
# Push it to GitHub
git push --set-upstream origin backport/backport-737-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.xThen, create a pull request where the |
…ct#737) * add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> * add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> --------- Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
…ct#737) * add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> * add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> --------- Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
…ch-project#728) (opensearch-project#737) Signed-off-by: Petar Dzepina <petar.dzepina@gmail.com>
Description
add field based correlation rules support in correlation engine.
e.g., sample correlation rule with group by field
sample correlation rule with group by field & filter query
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.