separate doc-level monitor query indices created by detectors #1324
Conversation
Signed-off-by: Subhobrata Dey <[email protected]>
sbcd90
requested review from
amsiglan,
AWSHurneyt,
getsaurabh02,
lezzago,
praveensameneni,
eirsep,
jowg-amazon,
engechas,
goyamegh and
riysaxen-amzn
as code owners
| @@ -887,7 +887,7 @@ private IndexMonitorRequest createDocLevelMonitorMatchAllRequest( | |||
|
|
|||
| Monitor monitor = new Monitor(monitorId, Monitor.NO_VERSION, monitorName, false, detector.getSchedule(), detector.getLastUpdateTime(), null, | |||
| Monitor.MonitorType.DOC_LEVEL_MONITOR.getValue(), detector.getUser(), 1, docLevelMonitorInputs, triggers, Map.of(), | |||
| new DataSources(detector.getRuleIndex(), | |||
| new DataSources(detector.getRuleIndex() + "_chained_findings", | |||
There was a problem hiding this comment.
each doc-level monitor has its own query index now. So the chained findings doc-level monitor also has its own index. The Sigma Rules doc-level monitor & the bucket-level monitor's chained monitor run asynchronously & thus cannot share the same query index as it is created & deleted in every run.
| } | ||
|
|
||
| public static String getRuleIndexOptimized(String logType) { | ||
| return String.format(Locale.getDefault(), ".opensearch-sap-%s-detectors-queries-optimized-%s", logType, UUID.randomUUID()); |
There was a problem hiding this comment.
we are moving from index patttern to index?
There was a problem hiding this comment.
no. this method is utilized by few integ tests & hence the change.
| @@ -1369,7 +1369,11 @@ void onGetResponse(Detector currentDetector, User user) { | |||
| request.getDetector().setAlertsHistoryIndexPattern(DetectorMonitorConfig.getAlertsHistoryIndexPattern(ruleTopic)); | |||
| request.getDetector().setFindingsIndex(DetectorMonitorConfig.getFindingsIndex(ruleTopic)); | |||
| request.getDetector().setFindingsIndexPattern(DetectorMonitorConfig.getFindingsIndexPattern(ruleTopic)); | |||
| request.getDetector().setRuleIndex(DetectorMonitorConfig.getRuleIndex(ruleTopic)); | |||
| if (currentDetector.getRuleIndex().contains("optimized")) { | |||
There was a problem hiding this comment.
if name contains optimized shouldn't we set rule index name as getRuleIndexOptimized value?
is this if else condition flipped?
There was a problem hiding this comment.
the if-else condition checks if the detector is already using a dedicated query index, then keep on using it. else, switch from shared query index to new dedicated query index as the detector is updated.
| " }\n" + | ||
| " }\n" + | ||
| "}"; | ||
| SearchResponse response = executeSearchAndGetResponse(DetectorMonitorConfig.getRuleIndex(randomDetectorType()), request, true); |
There was a problem hiding this comment.
why has this been removed ?
Plz dont reduce test coverage..
fix test as necessary
There was a problem hiding this comment.
query indices are created & deleted now. So, it is difficult to assert number of queries in query index now.
| @@ -825,21 +825,10 @@ public void testMultipleAggregationAndDocRules_alertSuccess() throws IOException | |||
|
|
|||
| Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); | |||
|
|
|||
|
|
|||
| String request = "{\n" + | |||
There was a problem hiding this comment.
plz revert and fix test as necessary
There was a problem hiding this comment.
query indices are created & deleted now. So, it is difficult to assert number of queries in query index now.
| @@ -1209,21 +1209,11 @@ public void testCreateDetectorWithNotCondition_verifyFindingsAndNoFindings_succe | |||
|
|
|||
| Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); | |||
|
|
|||
| String request = "{\n" + | |||
There was a problem hiding this comment.
query indices are created & deleted now. So, it is difficult to assert number of queries in query index now.
Signed-off-by: Subhobrata Dey <[email protected]>
The detector is updated to use exclusive query index. |
Signed-off-by: Subhobrata Dey <[email protected]>
|
security tests fail as docker image not updated. |
|
looks like we create aliases not indices from 'queryIndex` field in monitor datasources |
|
can we add tests for scenarios setting is off. create 2 detectors. verify query index name. turn on setting. update 1 detector, verify query index name. |
| request.getDetector().setRuleIndex(DetectorMonitorConfig.getRuleIndexOptimized(ruleTopic)); | ||
| } else { | ||
| String ruleTopicIndex = DetectorMonitorConfig.getRuleIndex(ruleTopic); | ||
| request.getDetector().setRuleIndex(ruleTopicIndex.substring(0, ruleTopicIndex.length()-1)); |
There was a problem hiding this comment.
why did we change the existing code from
request.getDetector().setRuleIndex(DetectorMonitorConfig.getRuleIndex(ruleTopic));
There was a problem hiding this comment.
ruleIndex is changing to dedicated ruleIndexOptimzied now. Thats why if-else condition.
| @@ -22,7 +24,11 @@ public class DetectorMonitorConfig { | |||
| public static final String OPENSEARCH_SAP_RULE_INDEX_TEMPLATE = ".opensearch-sap-detectors-queries-index-template"; | |||
|
|
|||
| public static String getRuleIndex(String logType) { | |||
| return String.format(Locale.getDefault(), ".opensearch-sap-%s-detectors-queries", logType); | |||
| return String.format(Locale.getDefault(), ".opensearch-sap-%s-detectors-queries*", logType); | |||
| @@ -1369,7 +1379,16 @@ void onGetResponse(Detector currentDetector, User user) { | |||
| request.getDetector().setAlertsHistoryIndexPattern(DetectorMonitorConfig.getAlertsHistoryIndexPattern(ruleTopic)); | |||
| request.getDetector().setFindingsIndex(DetectorMonitorConfig.getFindingsIndex(ruleTopic)); | |||
| request.getDetector().setFindingsIndexPattern(DetectorMonitorConfig.getFindingsIndexPattern(ruleTopic)); | |||
| request.getDetector().setRuleIndex(DetectorMonitorConfig.getRuleIndex(ruleTopic)); | |||
| if (currentDetector.getRuleIndex().contains("optimized")) { | |||
| request.getDetector().setRuleIndex(currentDetector.getRuleIndex()); | |||
There was a problem hiding this comment.
plz add comment that if we turn OFF setting after turning on, updating detector will not change from optimized to normal and we need to re-create detector
There was a problem hiding this comment.
added a comment. added a test too.
| request.getDetector().setRuleIndex(DetectorMonitorConfig.getRuleIndexOptimized(ruleTopic)); | ||
| } else { | ||
| String ruleTopicIndex = DetectorMonitorConfig.getRuleIndex(ruleTopic); | ||
| request.getDetector().setRuleIndex(ruleTopicIndex.substring(0, ruleTopicIndex.length() - 1)); |
| @@ -266,6 +266,7 @@ void setDebugLogLevel() throws IOException, InterruptedException { | |||
|
|
|||
|
|
|||
| makeRequest(client(), "PUT", "_cluster/settings", Collections.emptyMap(), se, new BasicHeader("Content-Type", "application/json")); | |||
| updateClusterSetting("plugins.security_analytics.enable_detectors_with_dedicated_query_indices", "true"); | |||
There was a problem hiding this comment.
are there tests with setting turned off
There was a problem hiding this comment.
added a test for setting turned off.
| @@ -1722,12 +1725,16 @@ public void testAzureMappings() throws IOException { | |||
| DetectorInput input = new DetectorInput("windows detector for security analytics", List.of(indexName), List.of(), | |||
| getPrePackagedRules("azure").stream().map(DetectorRule::new).collect(Collectors.toList())); | |||
| Detector detector = randomDetectorWithInputs(List.of(input), "azure"); | |||
| createDetector(detector); | |||
|
|
|||
| List<SearchHit> hits = executeSearch(".opensearch-sap-azure-detectors-queries-000001", matchAllSearchBody); | |||
There was a problem hiding this comment.
can you retain this test and add a new one - basically test for both setting turned. on and turned off
There was a problem hiding this comment.
added scenario for flag turned off in test cases. updated this test case to fetch queries from index pattern. https://github.com/sbcd90/security-analytics/blob/query_idx/src/test/java/org/opensearch/securityanalytics/mapper/MapperRestApiIT.java#L1727
| @@ -1104,21 +1094,11 @@ public void testCreateDetector_verifyWorkflowCreation_success_WithGroupByRulesIn | |||
|
|
|||
| Response createResponse = makeRequest(client(), "POST", SecurityAnalyticsPlugin.DETECTOR_BASE_URI, Collections.emptyMap(), toHttpEntity(detector)); | |||
|
|
|||
| String request = "{\n" + | |||
There was a problem hiding this comment.
we should not remove this code. we lose code coverage of tests. that's an anti-pattern. let's fix these tests
Signed-off-by: Subhobrata Dey <[email protected]>
added both test cases. 1st scenario: https://github.com/sbcd90/security-analytics/blob/c514a780d4b3f65ac828e3ff868c56f46f2a82b7/src/test/java/org/opensearch/securityanalytics/resthandler/DetectorRestApiIT.java#L1729 |
| @@ -83,7 +83,8 @@ private void getAllRuleIndices(ActionListener<List<String>> listener) { | |||
| listener.onResponse( | |||
| logTypes | |||
| .stream() | |||
| .map(logType -> DetectorMonitorConfig.getRuleIndex(logType)) | |||
| // use index pattern here to define rule topic index template for all query indices which match the pattern | |||
| .map(logType -> DetectorMonitorConfig.getRuleIndex(logType) + "*") | |||
There was a problem hiding this comment.
shouldn't this be detector specific?
why do we have this method? getAllRuleIndices
There was a problem hiding this comment.
a single index template containing specific settings for sigma rule executions are applied to all rule indices.
|
CI is failing |
ci passed now. |
|
Security tests failed |
Signed-off-by: Subhobrata Dey <[email protected]> (cherry picked from commit 1ca4090) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security-analytics/backport-2.15 2.15
# Navigate to the new working tree
pushd ../.worktrees/security-analytics/backport-2.15
# Create a new branch
git switch --create backport-1324-to-2.15
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 1ca40908ac7b050cc7eb90df3108ab8a21a1f6d1
# Push it to GitHub
git push --set-upstream origin backport-1324-to-2.15
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security-analytics/backport-2.15Then, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security-analytics/backport-2.16 2.16
# Navigate to the new working tree
pushd ../.worktrees/security-analytics/backport-2.16
# Create a new branch
git switch --create backport-1324-to-2.16
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 1ca40908ac7b050cc7eb90df3108ab8a21a1f6d1
# Push it to GitHub
git push --set-upstream origin backport-1324-to-2.16
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security-analytics/backport-2.16Then, create a pull request where the |
…arch-project#1324) Signed-off-by: Subhobrata Dey <[email protected]>
…#1330) Signed-off-by: Subhobrata Dey <[email protected]>
…#1330) Signed-off-by: Subhobrata Dey <[email protected]> (cherry picked from commit 038d60a)
…arch-project#1324) Signed-off-by: Subhobrata Dey <[email protected]>
…#1344) Signed-off-by: Subhobrata Dey <[email protected]>
…#1330) (#1343) Signed-off-by: Subhobrata Dey <[email protected]> (cherry picked from commit 038d60a) Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com>
Description
separate doc-level monitor query indices created by detectors
Related Issues
Resolves #[Issue number to be closed when this PR is merged]
Check List
--signoff.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.