From bdd3f002bbef3a8cabf18e7e26aad68adee9ed4b Mon Sep 17 00:00:00 2001 From: Riya Saxena Date: Mon, 16 Dec 2024 22:07:00 -0800 Subject: [PATCH] De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena --- .../monitor/TransportIndexThreatIntelMonitorAction.java | 3 ++- .../transport/TransportIndexDetectorAction.java | 8 +++++--- .../securityanalytics/alerts/AlertingServiceTests.java | 6 ++++-- .../threatIntel/model/monitor/ThreatIntelInputTests.java | 3 ++- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java index 4316e4711..bc0875a13 100644 --- a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java @@ -241,7 +241,8 @@ private Monitor buildThreatIntelMonitor(IndexThreatIntelMonitorRequest request) new DataSources(), false, null, - PLUGIN_OWNER_FIELD + PLUGIN_OWNER_FIELD, + true ); } catch (Exception e) { String error = "Error occurred while parsing monitor."; diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java index 8f4c4f1fd..7c7dcd8dc 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java @@ -471,6 +471,8 @@ public void onResponse(Map> ruleFieldMappings) { @Override public void onResponse(Collection indexMonitorRequests) { if (detector.getRuleIdMonitorIdMap().containsKey(CHAINED_FINDINGS_MONITOR_STRING)) { + // set the toggle flag disable + String cmfId = detector.getRuleIdMonitorIdMap().get(CHAINED_FINDINGS_MONITOR_STRING); if (shouldAddChainedFindingDocMonitor(indexMonitorRequests.isEmpty(), rulesById)) { monitorsToBeUpdated.add(createDocLevelMonitorMatchAllRequest(detector, RefreshPolicy.IMMEDIATE, cmfId, Method.PUT, rulesById)); @@ -797,7 +799,7 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List detector.getAlertsHistoryIndex(), detector.getAlertsHistoryIndexPattern(), DetectorMonitorConfig.getRuleIndexMappingsByType(), - true), enableDetectorWithDedicatedQueryIndices, null, PLUGIN_OWNER_FIELD); + true), enableDetectorWithDedicatedQueryIndices, null, PLUGIN_OWNER_FIELD, true); return new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null); } @@ -902,7 +904,7 @@ private IndexMonitorRequest createDocLevelMonitorMatchAllRequest( detector.getAlertsHistoryIndex(), detector.getAlertsHistoryIndexPattern(), DetectorMonitorConfig.getRuleIndexMappingsByType(), - true), enableDetectorWithDedicatedQueryIndices, true, PLUGIN_OWNER_FIELD); + true), enableDetectorWithDedicatedQueryIndices, true, PLUGIN_OWNER_FIELD, false); return new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null); } @@ -1078,7 +1080,7 @@ public void onResponse(GetIndexMappingsResponse getIndexMappingsResponse) { detector.getAlertsHistoryIndex(), detector.getAlertsHistoryIndexPattern(), DetectorMonitorConfig.getRuleIndexMappingsByType(), - true), false, null, PLUGIN_OWNER_FIELD); + true), false, null, PLUGIN_OWNER_FIELD, true); listener.onResponse(new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null)); } diff --git a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java index 82d6ecc5c..84f70830c 100644 --- a/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java +++ b/src/test/java/org/opensearch/securityanalytics/alerts/AlertingServiceTests.java @@ -97,7 +97,8 @@ public void testGetAlerts_success() { new DataSources(), true, null, - TransportIndexDetectorAction.PLUGIN_OWNER_FIELD + TransportIndexDetectorAction.PLUGIN_OWNER_FIELD, + true ), new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), List.of("finding_id_1"), @@ -133,7 +134,8 @@ public void testGetAlerts_success() { new DataSources(), true, null, - TransportIndexDetectorAction.PLUGIN_OWNER_FIELD + TransportIndexDetectorAction.PLUGIN_OWNER_FIELD, + true ), new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")), List.of("finding_id_1"), diff --git a/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java b/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java index 462873959..3135a2524 100644 --- a/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java +++ b/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java @@ -59,7 +59,8 @@ public void testThreatInputSerde() throws IOException { new DataSources(), false, null, - "security_analytics" + "security_analytics", + true ); BytesStreamOutput monitorOut = new BytesStreamOutput(); monitor.writeTo(monitorOut);