add field based rules support in correlation engine

[sbcd90]

Description

add field based correlation rules support in correlation engine.

e.g., sample correlation rule with group by field

POST /_plugins/_security_analytics/correlation/rules
{
  "correlate": [
    {
      "index": "windows5",
      "field": "SourceIp",
      "category": "windows"
    },
    {
      "index": "vpc_flow1",
      "category": "vpcflow",
      "field": "netflow.srcaddr"
    }
  ],
  "name": "vpcflow to windows",
  "time_window": 300000
}

sample correlation rule with group by field & filter query

{
  "correlate": [
    {
      "index": "cloudtrail-5",
      "query": "eventName:CreateUser",
      "field": "requestParameters.userName",
      "category": "cloudtrail"
    },
    {
      "index": "cloudtrail-5",
      "category": "cloudtrail",
      "query": "eventName:DeleteUser",
      "field": "requestParameters.userName"
    }
  ],
  "name": "cloudtrail create to delete account",
  "time_window": 600000
}

Issues Resolved

[List any issues this PR will resolve]

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: 80 lines in your changes are missing coverage. Please review.

Comparison is base (c0f7bd9) 24.73% compared to head (dec7296) 24.62%.

Files	Patch %	Lines
...arch/securityanalytics/correlation/JoinEngine.java	0.00%	52 Missing ⚠️
...arch/securityanalytics/model/CorrelationQuery.java	0.00%	15 Missing ⚠️
...earch/securityanalytics/model/CorrelationRule.java	0.00%	10 Missing ⚠️
...ics/transport/TransportCorrelateFindingAction.java	0.00%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #737      +/-   ##
============================================
- Coverage     24.73%   24.62%   -0.12%     
+ Complexity     1021     1018       -3     
============================================
  Files           275      275              
  Lines         12662    12711      +49     
  Branches       1389     1399      +10     
============================================
- Hits           3132     3130       -2     
- Misses         9264     9314      +50     
- Partials        266      267       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[eirsep]

this method seems to be search on correlation index

if auto-correlation is disabled why are we invoking this method?

[sbcd90]

this is the callback when auto correlations complete. so, if auto-correlations are disabled, we directly call the callback without generating auto correlations.

[eirsep]

nit: why are we not creating pojos. we have increased from list to triple?

[sbcd90]

fixed it.

[eirsep]

rename this to plugins.security_analytics.auto_correlations_enabled

[sbcd90]

fixed it.

[eirsep]

why is auto correlations disabled by default?

[sbcd90]

auto correlations are disabled because they may generate too many irrelevant correlations. we're trying to further filter down auto correlations so that meaningful results are shown.

[eirsep]

nit: rename to randomCloudtrailRuleForCorrelations

[sbcd90]

fixed it.

[eirsep]

do we support correlation for custom log types?

if yes, can we add a tests for correlation on (custom log types + log types)

[sbcd90]

added an integ test for it.

[eirsep]

why are we not validating field values like finding id or field name etc.

[sbcd90]

we do not need to in this test as only 1 result is expected. 0 correlations mean error.

[eirsep]

Plz elaborate PR description for better understanding of the feature.. typically a github issue with the elaborate description tagged with PR is best practice and good for understanding and tracking

Describe settings introduced and description of setting

Add javadocs for settings and critical sections of code
plz add details in PR description with example of correlation finding document and if there is any change after field based correlation.

[eirsep]

why did we uncomment
is this test flakiness fixed?

[sbcd90]

flakiness was fixed by adding this https://github.com/opensearch-project/security-analytics/pull/737/files#diff-20d6f1670be34a4f479880ddef06426f6dc20ff28a153a9225e829eaa325a7f7

[eirsep]

why is JoinEngine not a "component" injected from createComponents() in Plugin definition? We shouldn't have to parse a setting in transport action and pass it to correlation engine

[sbcd90]

JoinEngine needs an instance of TransportCorrelateFindingAction. hence, it cannot be part of createComponents().

[eirsep]

is this import used at all?

[eirsep]

do we support multiple fields?

[opensearch-trigger-bot]

The backport to 2.11-with-features failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.11-with-features 2.11-with-features
# Navigate to the new working tree
cd .worktrees/backport-2.11-with-features
# Create a new branch
git switch --create backport/backport-737-to-2.11-with-features
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 01facfc90ad56f9c7d0a63025c980297b5d352dd
# Push it to GitHub
git push --set-upstream origin backport/backport-737-to-2.11-with-features
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.11-with-features

Then, create a pull request where the base branch is 2.11-with-features and the compare/head branch is backport/backport-737-to-2.11-with-features.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-737-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 01facfc90ad56f9c7d0a63025c980297b5d352dd
# Push it to GitHub
git push --set-upstream origin backport/backport-737-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-737-to-2.x.