-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add field based rules support in correlation engine #737
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #737 +/- ##
============================================
- Coverage 24.73% 24.62% -0.12%
+ Complexity 1021 1018 -3
============================================
Files 275 275
Lines 12662 12711 +49
Branches 1389 1399 +10
============================================
- Hits 3132 3130 -2
- Misses 9264 9314 +50
- Partials 266 267 +1 ☔ View full report in Codecov by Sentry. |
if (enableAutoCorrelations) { | ||
generateAutoCorrelations(detector, finding); | ||
} else { | ||
onAutoCorrelations(detector, finding, Map.of()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this method seems to be search on correlation index
if auto-correlation is disabled why are we invoking this method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the callback when auto correlations complete. so, if auto-correlations are disabled, we directly call the callback without generating auto correlations.
15d461a
to
5d5d6dd
Compare
for (CorrelationRule rule: filteredCorrelationRules) { | ||
List<CorrelationQuery> queries = rule.getCorrelationQueries(); | ||
Map<String, Long> categoryToTimeWindowMap = new HashMap<>(); | ||
for (Triple<CorrelationRule, SearchHit[], String> rule: filteredCorrelationRules) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: why are we not creating pojos. we have increased from list to triple?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed it.
@@ -138,6 +138,12 @@ public class SecurityAnalyticsSettings { | |||
Setting.Property.NodeScope, Setting.Property.Dynamic | |||
); | |||
|
|||
public static final Setting<Boolean> ENABLE_AUTO_CORRELATIONS = Setting.boolSetting( | |||
"plugins.security_analytics.enable_auto_correlations", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename this to plugins.security_analytics.auto_correlations_enabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed it.
@@ -138,6 +138,12 @@ public class SecurityAnalyticsSettings { | |||
Setting.Property.NodeScope, Setting.Property.Dynamic | |||
); | |||
|
|||
public static final Setting<Boolean> ENABLE_AUTO_CORRELATIONS = Setting.boolSetting( | |||
"plugins.security_analytics.enable_auto_correlations", | |||
false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is auto correlations disabled by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
auto correlations are disabled because they may generate too many irrelevant correlations. we're trying to further filter down auto correlations so that meaningful results are shown.
@@ -259,6 +259,29 @@ public static String randomRule() { | |||
"level: high"; | |||
} | |||
|
|||
public static String randomRuleForCorrelations(String value) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: rename to randomCloudtrailRuleForCorrelations
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed it.
} | ||
} | ||
|
||
public void testBasicCorrelationEngineWorkflowWithFieldBasedRulesOnMultipleLogTypes() throws IOException, InterruptedException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we support correlation for custom log types?
if yes, can we add a tests for correlation on (custom log types + log types)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added an integ test for it.
Map<String, Object> responseMap = entityAsMap(response); | ||
List<Object> results = (List<Object>) responseMap.get("findings"); | ||
if (results.size() == 1) { | ||
Assert.assertTrue(true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are we not validating field values like finding id or field name etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we do not need to in this test as only 1 result
is expected. 0 correlations
mean error.
Plz elaborate PR description for better understanding of the feature.. typically a github issue with the elaborate description tagged with PR is best practice and good for understanding and tracking Describe settings introduced and description of setting Add javadocs for settings and critical sections of code |
@@ -264,7 +264,7 @@ public void testGetFindings_byDetectorType_success() throws IOException { | |||
getFindingsBody = entityAsMap(getFindingsResponse); | |||
Assert.assertEquals(1, getFindingsBody.get("total_findings")); | |||
} | |||
@Ignore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why did we uncomment
is this test flakiness fixed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -49,7 +50,6 @@ | |||
import java.util.Map; | |||
import java.util.Optional; | |||
import java.util.Set; | |||
import java.util.function.Predicate; | |||
import java.util.stream.Collectors; | |||
|
|||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is JoinEngine not a "component" injected from createComponents()
in Plugin definition? We shouldn't have to parse a setting in transport action and pass it to correlation engine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JoinEngine needs an instance of TransportCorrelateFindingAction
. hence, it cannot be part of createComponents()
.
Signed-off-by: Subhobrata Dey <[email protected]>
Signed-off-by: Subhobrata Dey <[email protected]>
@@ -4,7 +4,8 @@ | |||
*/ | |||
package org.opensearch.securityanalytics.correlation; | |||
|
|||
import kotlin.Pair; | |||
import org.apache.commons.lang3.tuple.Pair; | |||
import org.apache.commons.lang3.tuple.Triple; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this import used at all?
@@ -46,6 +46,9 @@ | |||
"type" : "keyword" | |||
} | |||
} | |||
}, | |||
"fields": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we support multiple fields?
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.11-with-features 2.11-with-features
# Navigate to the new working tree
cd .worktrees/backport-2.11-with-features
# Create a new branch
git switch --create backport/backport-737-to-2.11-with-features
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 01facfc90ad56f9c7d0a63025c980297b5d352dd
# Push it to GitHub
git push --set-upstream origin backport/backport-737-to-2.11-with-features
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.11-with-features Then, create a pull request where the |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-737-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 01facfc90ad56f9c7d0a63025c980297b5d352dd
# Push it to GitHub
git push --set-upstream origin backport/backport-737-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x Then, create a pull request where the |
…ct#737) * add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <[email protected]> * add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <[email protected]> --------- Signed-off-by: Subhobrata Dey <[email protected]>
* add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <[email protected]> Co-authored-by: Subhobrata Dey <[email protected]>
…ct#737) * add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <[email protected]> * add field based rules support in correlation engine Signed-off-by: Subhobrata Dey <[email protected]> --------- Signed-off-by: Subhobrata Dey <[email protected]>
Signed-off-by: Joanne Wang <[email protected]>
…ch-project#728) (opensearch-project#737) Signed-off-by: Petar Dzepina <[email protected]>
Description
add field based correlation rules support in correlation engine.
e.g., sample correlation rule with group by field
sample correlation rule with group by field & filter query
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.