adds support for alerts and triggers on group by based sigma rules #545
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eirsep
requested review from
amsiglan,
AWSHurneyt,
getsaurabh02,
lezzago,
praveensameneni and
sbcd90
as code owners
Codecov Report
@@ Coverage Diff @@
## main #545 +/- ##
============================================
- Coverage 25.12% 24.99% -0.13%
- Complexity 942 943 +1
============================================
Files 255 255
Lines 11064 11125 +61
Branches 1231 1242 +11
============================================
+ Hits 2780 2781 +1
- Misses 8032 8093 +61
+ Partials 252 251 -1
|
sbcd90
reviewed
Sep 7, 2023
| @@ -940,7 +941,7 @@ else if (ruleId == minRuleId) { | |||
| // Assert findings | |||
| assertNotNull(getFindingsBody); | |||
| // 8 findings from doc level rules, and 3 findings for aggregation (sum, max and min) | |||
| assertEquals(11, getFindingsBody.get("total_findings")); | |||
| assertEquals(19, getFindingsBody.get("total_findings")); | |||
There was a problem hiding this comment.
should we hide the findings generated by match of _id: * queries?
There was a problem hiding this comment.
been thinking about this
Need to add logic to avoid fetching findings from bucket level monitors which are feeding findings to chained findings doc monitor.
let's go with this for now
will do de-dupe in a quick follow up.
sbcd90
reviewed
Sep 7, 2023
| @@ -1409,7 +1410,7 @@ public void testCreateDetector_verifyWorkflowExecutionBucketLevelDocLevelMonitor | |||
| Map<String, Object> getFindingsBody = entityAsMap(getFindingsResponse); | |||
|
|
|||
| assertNotNull(getFindingsBody); | |||
| assertEquals(6, getFindingsBody.get("total_findings")); | |||
| assertEquals(10, getFindingsBody.get("total_findings")); | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
let's go with this for now
will do de-dupe in a quick follow up.
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
…mentioned in detector triggers Signed-off-by: Surya Sashank Nistala <[email protected]>
sbcd90
reviewed
Sep 8, 2023
| @@ -785,7 +850,7 @@ private IndexMonitorRequest createBucketLevelMonitorRequest( | |||
| triggers.add(bucketLevelTrigger1); | |||
| } **/ | |||
|
|
|||
| Monitor monitor = new Monitor(monitorId, Monitor.NO_VERSION, detector.getName(), false, detector.getSchedule(), detector.getLastUpdateTime(), null, | |||
| Monitor monitor = new Monitor(monitorId, Monitor.NO_VERSION, detector.getName() + UUID.randomUUID(), false, detector.getSchedule(), detector.getLastUpdateTime(), null, | |||
There was a problem hiding this comment.
is this change needed? i reverted this & integ tests still work fine.
Signed-off-by: Surya Sashank Nistala <[email protected]>
sbcd90
approved these changes
Sep 8, 2023
getsaurabh02
approved these changes
Sep 8, 2023
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-545-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 f4be879cd1486329fac5f2df1e251d3b544cd48e
# Push it to GitHub
git push --set-upstream origin backport/backport-545-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.xThen, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.10 2.10
# Navigate to the new working tree
cd .worktrees/backport-2.10
# Create a new branch
git switch --create backport/backport-545-to-2.10
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 f4be879cd1486329fac5f2df1e251d3b544cd48e
# Push it to GitHub
git push --set-upstream origin backport/backport-545-to-2.10
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.10Then, create a pull request where the |
eirsep
added a commit
to eirsep/security-analytics
that referenced
this pull request
Sep 8, 2023
…pensearch-project#545) * fix test Signed-off-by: Surya Sashank Nistala <[email protected]> * adds support for alerts and triggers on group by based rules Signed-off-by: Surya Sashank Nistala <[email protected]> * change setting workflow usage enabled to true by default Signed-off-by: Surya Sashank Nistala <[email protected]> * turn off workflow setting for test Signed-off-by: Surya Sashank Nistala <[email protected]> * revert new line Signed-off-by: Surya Sashank Nistala <[email protected]> * support feeding findings to chained finding monitors ONLY from rules mentioned in detector triggers Signed-off-by: Surya Sashank Nistala <[email protected]> * revert naming convention change for bucket level monitors Signed-off-by: Surya Sashank Nistala <[email protected]> --------- Signed-off-by: Surya Sashank Nistala <[email protected]>
eirsep
added a commit
that referenced
this pull request
Sep 9, 2023
…igma rules (#545) (#559) * adds support for alerts and triggers on group by based sigma rules (#545) * fix test Signed-off-by: Surya Sashank Nistala <[email protected]> * adds support for alerts and triggers on group by based rules Signed-off-by: Surya Sashank Nistala <[email protected]> * change setting workflow usage enabled to true by default Signed-off-by: Surya Sashank Nistala <[email protected]> * turn off workflow setting for test Signed-off-by: Surya Sashank Nistala <[email protected]> * revert new line Signed-off-by: Surya Sashank Nistala <[email protected]> * support feeding findings to chained finding monitors ONLY from rules mentioned in detector triggers Signed-off-by: Surya Sashank Nistala <[email protected]> * revert naming convention change for bucket level monitors Signed-off-by: Surya Sashank Nistala <[email protected]> --------- Signed-off-by: Surya Sashank Nistala <[email protected]> * fix compile issue from main and 2.x dependency divergence Signed-off-by: Surya Sashank Nistala <[email protected]> --------- Signed-off-by: Surya Sashank Nistala <[email protected]>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Sep 9, 2023
…igma rules (#545) (#559) * adds support for alerts and triggers on group by based sigma rules (#545) * fix test Signed-off-by: Surya Sashank Nistala <[email protected]> * adds support for alerts and triggers on group by based rules Signed-off-by: Surya Sashank Nistala <[email protected]> * change setting workflow usage enabled to true by default Signed-off-by: Surya Sashank Nistala <[email protected]> * turn off workflow setting for test Signed-off-by: Surya Sashank Nistala <[email protected]> * revert new line Signed-off-by: Surya Sashank Nistala <[email protected]> * support feeding findings to chained finding monitors ONLY from rules mentioned in detector triggers Signed-off-by: Surya Sashank Nistala <[email protected]> * revert naming convention change for bucket level monitors Signed-off-by: Surya Sashank Nistala <[email protected]> --------- Signed-off-by: Surya Sashank Nistala <[email protected]> * fix compile issue from main and 2.x dependency divergence Signed-off-by: Surya Sashank Nistala <[email protected]> --------- Signed-off-by: Surya Sashank Nistala <[email protected]> (cherry picked from commit 24fe8d4)
sbcd90
pushed a commit
that referenced
this pull request
Sep 9, 2023
…sigma rules (#545) (#559) (#560) Signed-off-by: Surya Sashank Nistala <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Behaviour of non-group by rule matching is unaffected.