Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Threat Intel Monitor is not clubbing matched doc-ids into Finding for same IoC because of fanout #1176

Open
eirsep opened this issue Jul 18, 2024 · 0 comments
Open

[BUG] Threat Intel Monitor is not clubbing matched doc-ids into Finding for same IoC because of fanout #1176

eirsep opened this issue Jul 18, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@eirsep
Copy link
Member

eirsep commented Jul 18, 2024

Detector findings are group of rules that a doc id matches. Since doc level monitor distributed approach guarantees that only one node in one execution of a monitor sees a given doc, a unique finding is guaranteed

But threat intel monitor creates findings per Ioc and links doc ids that contain that ioc. So every single node in distributed execution can create a finding for an ioc and link unique doc ids but since threat intel finding is identified by Ioc value and nto a doc id there would be duplicate findings.

Potential solutions:

  1. use locking mechanism to create finding. if finding exists, then update with doc ids
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eirsep