Alerts in correlations [Experminental] #1040
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Riya <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
riysaxen-amzn
requested review from
amsiglan,
AWSHurneyt,
getsaurabh02,
lezzago,
praveensameneni,
sbcd90,
eirsep,
jowg-amazon,
engechas and
goyamegh
as code owners
riysaxen-amzn
changed the title
Signed-off-by: Riya Saxena <[email protected]>
|
what is the intent of adding |
eirsep
reviewed
Jun 3, 2024
| /** | ||
| * Extension function for publishing a notification to a channel in the Notification plugin. | ||
| */ | ||
| public void sendNotification(String configId, String severity, String subject, String notificationMessageText) throws IOException { |
There was a problem hiding this comment.
configId is the id of Notification configuration, same as destinationId
eirsep
reviewed
Jun 3, 2024
| } | ||
| @Override | ||
| public void onFailure(Exception e) { | ||
| logger.error("Failed while sending a notification: " + e.toString()); |
There was a problem hiding this comment.
can we log information about detector id or config id or whatever is required to do an RCA on why notification failed by just looking at this log
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
this is an experimental feature, thought to add this |
eirsep
reviewed
Jun 6, 2024
| public JoinEngine(Client client, PublishFindingsRequest request, NamedXContentRegistry xContentRegistry, | ||
| long corrTimeWindow, TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction, | ||
| LogTypeService logTypeService, boolean enableAutoCorrelations) { | ||
| long corrTimeWindow, TimeValue indexTimeout, TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction, |
There was a problem hiding this comment.
where is index timeout being set?
There was a problem hiding this comment.
In JoinEngine
this.clusterService.getClusterSettings().addSettingsUpdateConsumer(SecurityAnalyticsSettings.INDEX_TIMEOUT, it -> indexTimeout = it);
sbcd90
reviewed
Jun 6, 2024
| @@ -53,6 +54,8 @@ | |||
| import org.opensearch.script.ScriptService; | |||
| import org.opensearch.securityanalytics.action.*; | |||
sbcd90
reviewed
Jun 6, 2024
| executorService.shutdown(); | ||
| } | ||
|
|
||
| private void scheduleRule(CorrelationRule correlationRule, List<String> findingIds, TimeValue indexTimeout, String sourceFindingId, User user) { |
There was a problem hiding this comment.
instead of using java's executorservice can we use job-scheduler plugin?
also, i see for each rule we create a runnable.
Can we instead use an index to create a monitor like object which can be monitored by running a single job?
Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Riya Saxena <[email protected]>
jowg-amazon
reviewed
Jun 11, 2024
| // Convert CorrelationAlert to a map | ||
| try { | ||
| XContentBuilder builder = XContentFactory.jsonBuilder().startObject(); | ||
| builder.field("correlated_finding_ids", correlationAlert.getCorrelatedFindingIds()); |
There was a problem hiding this comment.
Should use the final variables declared above
| } | ||
|
|
||
| // logic will be moved to common-utils, once the parsing logic in common-utils is fixed | ||
| public static CorrelationAlert parse(XContentParser xcp, String id, long version) throws IOException { |
There was a problem hiding this comment.
Does this still need to be moved to common-utils?
There was a problem hiding this comment.
yes, I can move this common-utils at a later point
| } | ||
|
|
||
| public List<Action> getActions() { | ||
| // List<Action> transformedActions = new ArrayList<>(); |
There was a problem hiding this comment.
Is this not needed anymore?
There was a problem hiding this comment.
yes, right now, no use but we can have something in future
| private final NamedXContentRegistry xContentRegistry; | ||
| private final Client client; | ||
|
|
||
| protected static final String CORRELATED_FINDING_IDS = "correlated_finding_ids"; |
There was a problem hiding this comment.
Is there a reason we're not specifying these in the correlation alert model in common-utils?
There was a problem hiding this comment.
the parsing logic in common-utils is nt working as expected therefore for timebeing this is moved here
Signed-off-by: Riya Saxena <[email protected]>
|
CI is passing locally after the latest changes in common-utils built in: |
sbcd90
approved these changes
Jun 11, 2024
|
Non blocking but can we add TODO tasks for all the parts that need to be refactored/changed after this PR? |
yes, there'll be another PR after this for the APIs will update there |
jowg-amazon
approved these changes
Jun 11, 2024
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Jun 11, 2024
* notification for alerting in correlation * correlation alerts mapping change * working code Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alerts in correlations notification service added Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * fixed tests Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya <[email protected]> Signed-off-by: Riya Saxena <[email protected]> (cherry picked from commit 62e4453) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security-analytics/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security-analytics/backport-2.x
# Create a new branch
git switch --create backport-1040-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 62e4453dde8977a43c16c7d7b27ffc4413ec00df
# Push it to GitHub
git push --set-upstream origin backport-1040-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security-analytics/backport-2.xThen, create a pull request where the |
riysaxen-amzn
added a commit
to riysaxen-amzn/security-analytics
that referenced
this pull request
Jun 12, 2024
* notification for alerting in correlation * correlation alerts mapping change * working code Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alerts in correlations notification service added Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * fixed tests Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya <[email protected]> Signed-off-by: Riya Saxena <[email protected]> (cherry picked from commit 62e4453)
riysaxen-amzn
added a commit
that referenced
this pull request
Jun 12, 2024
* notification for alerting in correlation * correlation alerts mapping change * working code Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alerts in correlations notification service added Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * fixed tests Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya <[email protected]> Signed-off-by: Riya Saxena <[email protected]> (cherry picked from commit 62e4453)
eirsep
reviewed
Jun 25, 2024
| /** | ||
| * Extension function for publishing a notification to a channel in the Notification plugin. | ||
| */ | ||
| public void sendNotification(String configId, String severity, String subject, String notificationMessageText) throws IOException { |
There was a problem hiding this comment.
this call should be event driven. write now we made it async.. cant handle failure
jowg-amazon
pushed a commit
to jowg-amazon/security-analytics
that referenced
this pull request
Jul 2, 2024
* notification for alerting in correlation * correlation alerts mapping change * working code Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alertsInCorrelation without notifciations Signed-off-by: Riya Saxena <[email protected]> * alerts in correlations notification service added Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * addressing the comments Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * address the design changes discussed Signed-off-by: Riya Saxena <[email protected]> * fixed tests Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya <[email protected]> Signed-off-by: Riya Saxena <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Issues Resolved
Issue
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.