From e4aeac90fc64d567fb75e32f332179b0e513bdef Mon Sep 17 00:00:00 2001 From: Ashish Agrawal Date: Tue, 3 Oct 2023 14:18:41 -0700 Subject: [PATCH] Ingest others_cloud category first Signed-off-by: Ashish Agrawal --- .../securityanalytics/util/RuleIndices.java | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java b/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java index 53c0a516f..b3018a157 100644 --- a/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java +++ b/src/main/java/org/opensearch/securityanalytics/util/RuleIndices.java @@ -272,10 +272,16 @@ private String getRuleCategory(Path folderPath) { private void ingestQueries(Map> logIndexToRules, WriteRequest.RefreshPolicy refreshPolicy, TimeValue indexTimeout, ActionListener listener) throws SigmaError, IOException { List queries = new ArrayList<>(); - for (Map.Entry> logIndexToRule: logIndexToRules.entrySet()) { - Map fieldMappings = logTypeService.getRuleFieldMappingsForBuiltinLogType(logIndexToRule.getKey()); + // Moving others_cloud to the top so those queries are indexed first and can be overwritten + // if other categories contain the same rules + List categories = new ArrayList<>(logIndexToRules.keySet()); + if (categories.remove("others_cloud")) { + categories.add(0, "others_cloud"); + } + for (String category: categories) { + Map fieldMappings = logTypeService.getRuleFieldMappingsForBuiltinLogType(category); final QueryBackend backend = new OSQueryBackend(fieldMappings, true, true); - queries.addAll(getQueries(backend, logIndexToRule.getKey(), logIndexToRule.getValue())); + queries.addAll(getQueries(backend, category, logIndexToRules.get(category))); } loadRules(queries, refreshPolicy, indexTimeout, listener, true); }