Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alerts in correlations [Experminental] #1040

Merged

Conversation

riysaxen-amzn
Copy link
Collaborator

@riysaxen-amzn riysaxen-amzn commented May 22, 2024

Description

  • This is the initial PR for Alerts in Correlations, it has correlation alerts index management logic and Notification Service integration
  • A seperate PR will be raised for the new APIs

Issues Resolved

Issue

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@riysaxen-amzn riysaxen-amzn marked this pull request as ready for review May 31, 2024 01:41
@riysaxen-amzn riysaxen-amzn changed the title Alerts in correlations Alerts in correlations [Experminental] May 31, 2024
@eirsep
Copy link
Member

eirsep commented Jun 3, 2024

what is the intent of adding [Experimental] in PR? is that an opensearch project guideline?

/**
* Extension function for publishing a notification to a channel in the Notification plugin.
*/
public void sendNotification(String configId, String severity, String subject, String notificationMessageText) throws IOException {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is config id?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

configId is the id of Notification configuration, same as destinationId

}
@Override
public void onFailure(Exception e) {
logger.error("Failed while sending a notification: " + e.toString());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we log information about detector id or config id or whatever is required to do an RCA on why notification failed by just looking at this log

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addressed

Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
@riysaxen-amzn
Copy link
Collaborator Author

what is the intent of adding [Experimental] in PR? is that an opensearch project guideline?

this is an experimental feature, thought to add this

@riysaxen-amzn riysaxen-amzn requested a review from eirsep June 6, 2024 00:20
public JoinEngine(Client client, PublishFindingsRequest request, NamedXContentRegistry xContentRegistry,
long corrTimeWindow, TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction,
LogTypeService logTypeService, boolean enableAutoCorrelations) {
long corrTimeWindow, TimeValue indexTimeout, TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where is index timeout being set?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In JoinEngine

        this.clusterService.getClusterSettings().addSettingsUpdateConsumer(SecurityAnalyticsSettings.INDEX_TIMEOUT, it -> indexTimeout = it);

@@ -53,6 +54,8 @@
import org.opensearch.script.ScriptService;
import org.opensearch.securityanalytics.action.*;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove * imports.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

executorService.shutdown();
}

private void scheduleRule(CorrelationRule correlationRule, List<String> findingIds, TimeValue indexTimeout, String sourceFindingId, User user) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of using java's executorservice can we use job-scheduler plugin?
also, i see for each rule we create a runnable.
Can we instead use an index to create a monitor like object which can be monitored by running a single job?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addressed

@riysaxen-amzn riysaxen-amzn requested review from sbcd90 and eirsep June 10, 2024 21:59
// Convert CorrelationAlert to a map
try {
XContentBuilder builder = XContentFactory.jsonBuilder().startObject();
builder.field("correlated_finding_ids", correlationAlert.getCorrelatedFindingIds());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should use the final variables declared above

}

// logic will be moved to common-utils, once the parsing logic in common-utils is fixed
public static CorrelationAlert parse(XContentParser xcp, String id, long version) throws IOException {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this still need to be moved to common-utils?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I can move this common-utils at a later point

}

public List<Action> getActions() {
// List<Action> transformedActions = new ArrayList<>();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not needed anymore?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, right now, no use but we can have something in future

private final NamedXContentRegistry xContentRegistry;
private final Client client;

protected static final String CORRELATED_FINDING_IDS = "correlated_finding_ids";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we're not specifying these in the correlation alert model in common-utils?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the parsing logic in common-utils is nt working as expected therefore for timebeing this is moved here

Signed-off-by: Riya Saxena <[email protected]>
@riysaxen-amzn
Copy link
Collaborator Author

riysaxen-amzn commented Jun 11, 2024

CI is passing locally after the latest changes in common-utils built in:

WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.BootstrapForTesting
WARNING: System::setSecurityManager will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.gradle.api.internal.tasks.testing.worker.TestWorker (file:/Users/riysaxen/.gradle/wrapper/dists/gradle-8.5-bin/5t9huq95ubn472n8rpzujfbqh/gradle-8.5/lib/plugins/gradle-testing-base-8.5.jar)
WARNING: Please consider reporting this to the maintainers of org.gradle.api.internal.tasks.testing.worker.TestWorker
WARNING: System::setSecurityManager will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.gradle.api.internal.tasks.testing.worker.TestWorker (file:/Users/riysaxen/.gradle/wrapper/dists/gradle-8.5-bin/5t9huq95ubn472n8rpzujfbqh/gradle-8.5/lib/plugins/gradle-testing-base-8.5.jar)
WARNING: Please consider reporting this to the maintainers of org.gradle.api.internal.tasks.testing.worker.TestWorker
WARNING: System::setSecurityManager will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.gradle.api.internal.tasks.testing.worker.TestWorker (file:/Users/riysaxen/.gradle/wrapper/dists/gradle-8.5-bin/5t9huq95ubn472n8rpzujfbqh/gradle-8.5/lib/plugins/gradle-testing-base-8.5.jar)
WARNING: Please consider reporting this to the maintainers of org.gradle.api.internal.tasks.testing.worker.TestWorker
WARNING: System::setSecurityManager will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.gradle.api.internal.tasks.testing.worker.TestWorker (file:/Users/riysaxen/.gradle/wrapper/dists/gradle-8.5-bin/5t9huq95ubn472n8rpzujfbqh/gradle-8.5/lib/plugins/gradle-testing-base-8.5.jar)
WARNING: Please consider reporting this to the maintainers of org.gradle.api.internal.tasks.testing.worker.TestWorker
WARNING: System::setSecurityManager will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.gradle.api.internal.tasks.testing.worker.TestWorker (file:/Users/riysaxen/.gradle/wrapper/dists/gradle-8.5-bin/5t9huq95ubn472n8rpzujfbqh/gradle-8.5/lib/plugins/gradle-testing-base-8.5.jar)
WARNING: Please consider reporting this to the maintainers of org.gradle.api.internal.tasks.testing.worker.TestWorker
WARNING: System::setSecurityManager will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.gradle.api.internal.tasks.testing.worker.TestWorker (file:/Users/riysaxen/.gradle/wrapper/dists/gradle-8.5-bin/5t9huq95ubn472n8rpzujfbqh/gradle-8.5/lib/plugins/gradle-testing-base-8.5.jar)
WARNING: Please consider reporting this to the maintainers of org.gradle.api.internal.tasks.testing.worker.TestWorker
WARNING: System::setSecurityManager will be removed in a future release

Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

For more on this, please refer to https://docs.gradle.org/8.5/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.

BUILD SUCCESSFUL in 38s


@jowg-amazon
Copy link
Collaborator

Non blocking but can we add TODO tasks for all the parts that need to be refactored/changed after this PR?

@riysaxen-amzn
Copy link
Collaborator Author

Non blocking but can we add TODO tasks for all the parts that need to be refactored/changed after this PR?

yes, there'll be another PR after this for the APIs will update there

@riysaxen-amzn riysaxen-amzn merged commit 62e4453 into opensearch-project:main Jun 11, 2024
3 of 11 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jun 11, 2024
* notification for alerting in correlation

* correlation alerts mapping change

* working code

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alerts in correlations notification service added

Signed-off-by: Riya Saxena <[email protected]>

* addressing the comments

Signed-off-by: Riya Saxena <[email protected]>

* addressing the comments

Signed-off-by: Riya Saxena <[email protected]>

* address the design changes discussed

Signed-off-by: Riya Saxena <[email protected]>

* address the design changes discussed

Signed-off-by: Riya Saxena <[email protected]>

* fixed tests

Signed-off-by: Riya Saxena <[email protected]>

---------

Signed-off-by: Riya <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
(cherry picked from commit 62e4453)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security-analytics/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security-analytics/backport-2.x
# Create a new branch
git switch --create backport-1040-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 62e4453dde8977a43c16c7d7b27ffc4413ec00df
# Push it to GitHub
git push --set-upstream origin backport-1040-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security-analytics/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport-1040-to-2.x.

riysaxen-amzn added a commit to riysaxen-amzn/security-analytics that referenced this pull request Jun 12, 2024
* notification for alerting in correlation

* correlation alerts mapping change

* working code

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alerts in correlations notification service added

Signed-off-by: Riya Saxena <[email protected]>

* addressing the comments

Signed-off-by: Riya Saxena <[email protected]>

* addressing the comments

Signed-off-by: Riya Saxena <[email protected]>

* address the design changes discussed

Signed-off-by: Riya Saxena <[email protected]>

* address the design changes discussed

Signed-off-by: Riya Saxena <[email protected]>

* fixed tests

Signed-off-by: Riya Saxena <[email protected]>

---------

Signed-off-by: Riya <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
(cherry picked from commit 62e4453)
riysaxen-amzn added a commit that referenced this pull request Jun 12, 2024
* notification for alerting in correlation

* correlation alerts mapping change

* working code

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alerts in correlations notification service added

Signed-off-by: Riya Saxena <[email protected]>

* addressing the comments

Signed-off-by: Riya Saxena <[email protected]>

* addressing the comments

Signed-off-by: Riya Saxena <[email protected]>

* address the design changes discussed

Signed-off-by: Riya Saxena <[email protected]>

* address the design changes discussed

Signed-off-by: Riya Saxena <[email protected]>

* fixed tests

Signed-off-by: Riya Saxena <[email protected]>

---------

Signed-off-by: Riya <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
(cherry picked from commit 62e4453)
/**
* Extension function for publishing a notification to a channel in the Notification plugin.
*/
public void sendNotification(String configId, String severity, String subject, String notificationMessageText) throws IOException {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this call should be event driven. write now we made it async.. cant handle failure

jowg-amazon pushed a commit to jowg-amazon/security-analytics that referenced this pull request Jul 2, 2024
* notification for alerting in correlation

* correlation alerts mapping change

* working code

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alertsInCorrelation without notifciations

Signed-off-by: Riya Saxena <[email protected]>

* alerts in correlations notification service added

Signed-off-by: Riya Saxena <[email protected]>

* addressing the comments

Signed-off-by: Riya Saxena <[email protected]>

* addressing the comments

Signed-off-by: Riya Saxena <[email protected]>

* address the design changes discussed

Signed-off-by: Riya Saxena <[email protected]>

* address the design changes discussed

Signed-off-by: Riya Saxena <[email protected]>

* fixed tests

Signed-off-by: Riya Saxena <[email protected]>

---------

Signed-off-by: Riya <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants