From f964dd1bad70b9b154dfc20f87e86de0061fb49d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 19 Dec 2024 22:55:24 +0000 Subject: [PATCH] fixes the duplicate alerts generated by Aggregation Sigma Roles (#1424) * De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena * De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena * De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena * tests fix Signed-off-by: Riya Saxena * tests fix Signed-off-by: Riya Saxena --------- Signed-off-by: Riya Saxena (cherry picked from commit 4845337ef2dfc8123a25056e9faa125873573c75) Signed-off-by: github-actions[bot] --- .../monitor/TransportIndexThreatIntelMonitorAction.java | 3 ++- .../transport/TransportIndexDetectorAction.java | 4 ++-- .../threatIntel/model/monitor/ThreatIntelInputTests.java | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java index c9e364da7..998a8bc29 100644 --- a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java @@ -202,7 +202,8 @@ private Monitor buildThreatIntelMonitor(IndexThreatIntelMonitorRequest request) DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput( String.format("threat intel input for monitor named %s", request.getMonitor().getName()), request.getMonitor().getIndices(), - Collections.emptyList() // no percolate queries + Collections.emptyList(), // no percolate queries + true ); List perIocTypeScanInputs = request.getMonitor().getPerIocTypeScanInputList().stream().map( it -> new PerIocTypeScanInput(it.getIocType(), it.getIndexToFieldsMap()) diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java index f415d0f2a..7d1a1339b 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java @@ -771,7 +771,7 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List docLevelQueries.add(docLevelQuery); } docLevelQueries.addAll(threatIntelQueries); - DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries); + DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries, true); docLevelMonitorInputs.add(docLevelMonitorInput); List triggers = new ArrayList<>(); @@ -872,7 +872,7 @@ private IndexMonitorRequest createDocLevelMonitorMatchAllRequest( ); docLevelQueries.add(docLevelQuery); - DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries); + DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries, false); docLevelMonitorInputs.add(docLevelMonitorInput); List triggers = new ArrayList<>(); diff --git a/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java b/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java index 36de85ebf..db5a8718c 100644 --- a/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java +++ b/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java @@ -50,7 +50,8 @@ public void testThreatInputSerde() throws IOException { bytes, new DocLevelMonitorInput("threat intel input", List.of("index1", "index2"), - emptyList() + emptyList(), + true ) ) ),