-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alerts in correlations [Experminental] #1040
Alerts in correlations [Experminental] #1040
Conversation
Signed-off-by: Riya <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
what is the intent of adding |
/** | ||
* Extension function for publishing a notification to a channel in the Notification plugin. | ||
*/ | ||
public void sendNotification(String configId, String severity, String subject, String notificationMessageText) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is config id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configId is the id of Notification configuration, same as destinationId
} | ||
@Override | ||
public void onFailure(Exception e) { | ||
logger.error("Failed while sending a notification: " + e.toString()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we log information about detector id or config id or whatever is required to do an RCA on why notification failed by just looking at this log
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressed
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
this is an experimental feature, thought to add this |
public JoinEngine(Client client, PublishFindingsRequest request, NamedXContentRegistry xContentRegistry, | ||
long corrTimeWindow, TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction, | ||
LogTypeService logTypeService, boolean enableAutoCorrelations) { | ||
long corrTimeWindow, TimeValue indexTimeout, TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where is index timeout being set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In JoinEngine
this.clusterService.getClusterSettings().addSettingsUpdateConsumer(SecurityAnalyticsSettings.INDEX_TIMEOUT, it -> indexTimeout = it);
@@ -53,6 +54,8 @@ | |||
import org.opensearch.script.ScriptService; | |||
import org.opensearch.securityanalytics.action.*; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove * imports.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
executorService.shutdown(); | ||
} | ||
|
||
private void scheduleRule(CorrelationRule correlationRule, List<String> findingIds, TimeValue indexTimeout, String sourceFindingId, User user) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of using java's executorservice can we use job-scheduler plugin?
also, i see for each rule we create a runnable.
Can we instead use an index to create a monitor like object which can be monitored by running a single job?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressed
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
// Convert CorrelationAlert to a map | ||
try { | ||
XContentBuilder builder = XContentFactory.jsonBuilder().startObject(); | ||
builder.field("correlated_finding_ids", correlationAlert.getCorrelatedFindingIds()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should use the final variables declared above
} | ||
|
||
// logic will be moved to common-utils, once the parsing logic in common-utils is fixed | ||
public static CorrelationAlert parse(XContentParser xcp, String id, long version) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this still need to be moved to common-utils?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I can move this common-utils at a later point
} | ||
|
||
public List<Action> getActions() { | ||
// List<Action> transformedActions = new ArrayList<>(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this not needed anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, right now, no use but we can have something in future
private final NamedXContentRegistry xContentRegistry; | ||
private final Client client; | ||
|
||
protected static final String CORRELATED_FINDING_IDS = "correlated_finding_ids"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason we're not specifying these in the correlation alert model in common-utils?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the parsing logic in common-utils is nt working as expected therefore for timebeing this is moved here
Signed-off-by: Riya Saxena <[email protected]>
CI is passing locally after the latest changes in common-utils built in:
|
Non blocking but can we add TODO tasks for all the parts that need to be refactored/changed after this PR? |
yes, there'll be another PR after this for the APIs will update there |
* notification for alerting in correlation * correlation alerts mapping change * working code Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alerts in correlations notification service added Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * fixed tests Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya <[email protected]> Signed-off-by: Riya Saxena <[email protected]> (cherry picked from commit 62e4453) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security-analytics/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security-analytics/backport-2.x
# Create a new branch
git switch --create backport-1040-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 62e4453dde8977a43c16c7d7b27ffc4413ec00df
# Push it to GitHub
git push --set-upstream origin backport-1040-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security-analytics/backport-2.x Then, create a pull request where the |
* notification for alerting in correlation * correlation alerts mapping change * working code Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alerts in correlations notification service added Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * fixed tests Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya <[email protected]> Signed-off-by: Riya Saxena <[email protected]> (cherry picked from commit 62e4453)
* notification for alerting in correlation * correlation alerts mapping change * working code Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alerts in correlations notification service added Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * fixed tests Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya <[email protected]> Signed-off-by: Riya Saxena <[email protected]> (cherry picked from commit 62e4453)
/** | ||
* Extension function for publishing a notification to a channel in the Notification plugin. | ||
*/ | ||
public void sendNotification(String configId, String severity, String subject, String notificationMessageText) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this call should be event driven. write now we made it async.. cant handle failure
* notification for alerting in correlation * correlation alerts mapping change * working code Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alerts in correlations notification service added Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * fixed tests Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya <[email protected]> Signed-off-by: Riya Saxena <[email protected]>
Description
Issues Resolved
Issue
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.