Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] #737 add field based rules support in correlation engine #812

Merged
merged 2 commits into from
Feb 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,7 @@ public List<Setting<?>> getSettings() {
SecurityAnalyticsSettings.CORRELATION_HISTORY_RETENTION_PERIOD,
SecurityAnalyticsSettings.IS_CORRELATION_INDEX_SETTING,
SecurityAnalyticsSettings.CORRELATION_TIME_WINDOW,
SecurityAnalyticsSettings.ENABLE_AUTO_CORRELATIONS,
SecurityAnalyticsSettings.DEFAULT_MAPPING_SCHEMA,
SecurityAnalyticsSettings.ENABLE_WORKFLOW_USAGE,
SecurityAnalyticsSettings.TIF_UPDATE_INTERVAL,
Expand Down

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -22,40 +22,53 @@
private static final String QUERY = "query";
private static final String CATEGORY = "category";

private static final String FIELD = "field";

private String index;

private String query;

private String category;

public CorrelationQuery(String index, String query, String category) {
private String field;

public CorrelationQuery(String index, String query, String category, String field) {

Check warning on line 35 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L35

Added line #L35 was not covered by tests
this.index = index;
this.query = query;
this.category = category;
this.field = field;

Check warning on line 39 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L39

Added line #L39 was not covered by tests
}

public CorrelationQuery(StreamInput sin) throws IOException {
this(sin.readString(), sin.readString(), sin.readString());
this(sin.readString(), sin.readOptionalString(), sin.readString(), sin.readOptionalString());

Check warning on line 43 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L43

Added line #L43 was not covered by tests
}

@Override
public void writeTo(StreamOutput out) throws IOException {
out.writeString(index);
out.writeString(query);
out.writeOptionalString(query);

Check warning on line 49 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L49

Added line #L49 was not covered by tests
out.writeString(category);
out.writeOptionalString(field);

Check warning on line 51 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L51

Added line #L51 was not covered by tests
}

@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
builder.startObject();
builder.field(INDEX, index).field(QUERY, query).field(CATEGORY, category);
builder.field(INDEX, index).field(CATEGORY, category);

Check warning on line 57 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L57

Added line #L57 was not covered by tests
if (query != null) {
builder.field(QUERY, query);

Check warning on line 59 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L59

Added line #L59 was not covered by tests
}
if (field != null) {
builder.field(FIELD, field);

Check warning on line 62 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L62

Added line #L62 was not covered by tests
}
return builder.endObject();
}

public static CorrelationQuery parse(XContentParser xcp) throws IOException {
String index = null;
String query = null;
String category = null;
String field = null;

Check warning on line 71 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L71

Added line #L71 was not covered by tests

XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_OBJECT, xcp.currentToken(), xcp);
while (xcp.nextToken() != XContentParser.Token.END_OBJECT) {
Expand All @@ -72,11 +85,14 @@
case CATEGORY:
category = xcp.text();
break;
case FIELD:
field = xcp.text();
break;

Check warning on line 90 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L89-L90

Added lines #L89 - L90 were not covered by tests
default:
xcp.skipChildren();
}
}
return new CorrelationQuery(index, query, category);
return new CorrelationQuery(index, query, category, field);

Check warning on line 95 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L95

Added line #L95 was not covered by tests
}

public static CorrelationQuery readFrom(StreamInput sin) throws IOException {
Expand All @@ -94,4 +110,8 @@
public String getCategory() {
return category;
}

public String getField() {
return field;

Check warning on line 115 in src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationQuery.java#L115

Added line #L115 was not covered by tests
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
public static final String NO_ID = "";
public static final Long NO_VERSION = 1L;
private static final String CORRELATION_QUERIES = "correlate";
private static final String CORRELATION_TIME_WINDOW = "time_window";

private String id;

Expand All @@ -37,15 +38,18 @@

private List<CorrelationQuery> correlationQueries;

public CorrelationRule(String id, Long version, String name, List<CorrelationQuery> correlationQueries) {
private Long corrTimeWindow;

public CorrelationRule(String id, Long version, String name, List<CorrelationQuery> correlationQueries, Long corrTimeWindow) {

Check warning on line 43 in src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java#L43

Added line #L43 was not covered by tests
this.id = id != null ? id : NO_ID;
this.version = version != null ? version : NO_VERSION;
this.name = name;
this.correlationQueries = correlationQueries;
this.corrTimeWindow = corrTimeWindow != null? corrTimeWindow: 300000L;
}

public CorrelationRule(StreamInput sin) throws IOException {
this(sin.readString(), sin.readLong(), sin.readString(), sin.readList(CorrelationQuery::readFrom));
this(sin.readString(), sin.readLong(), sin.readString(), sin.readList(CorrelationQuery::readFrom), sin.readLong());

Check warning on line 52 in src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java#L52

Added line #L52 was not covered by tests
}

@Override
Expand All @@ -57,6 +61,7 @@
CorrelationQuery[] correlationQueries = new CorrelationQuery[] {};
correlationQueries = this.correlationQueries.toArray(correlationQueries);
builder.field(CORRELATION_QUERIES, correlationQueries);
builder.field(CORRELATION_TIME_WINDOW, corrTimeWindow);

Check warning on line 64 in src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java#L64

Added line #L64 was not covered by tests
return builder.endObject();
}

Expand All @@ -69,6 +74,7 @@
for (CorrelationQuery query : correlationQueries) {
query.writeTo(out);
}
out.writeLong(corrTimeWindow);

Check warning on line 77 in src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java#L77

Added line #L77 was not covered by tests
}

public static CorrelationRule parse(XContentParser xcp, String id, Long version) throws IOException {
Expand All @@ -81,6 +87,7 @@

String name = null;
List<CorrelationQuery> correlationQueries = new ArrayList<>();
Long corrTimeWindow = null;

Check warning on line 90 in src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java#L90

Added line #L90 was not covered by tests

XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_OBJECT, xcp.nextToken(), xcp);
while (xcp.nextToken() != XContentParser.Token.END_OBJECT) {
Expand All @@ -98,11 +105,14 @@
correlationQueries.add(query);
}
break;
case CORRELATION_TIME_WINDOW:
corrTimeWindow = xcp.longValue();
break;

Check warning on line 110 in src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java#L109-L110

Added lines #L109 - L110 were not covered by tests
default:
xcp.skipChildren();
}
}
return new CorrelationRule(id, version, name, correlationQueries);
return new CorrelationRule(id, version, name, correlationQueries, corrTimeWindow);

Check warning on line 115 in src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java#L115

Added line #L115 was not covered by tests
}

public static CorrelationRule readFrom(StreamInput sin) throws IOException {
Expand Down Expand Up @@ -137,6 +147,10 @@
return correlationQueries;
}

public Long getCorrTimeWindow() {
return corrTimeWindow;

Check warning on line 151 in src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/model/CorrelationRule.java#L151

Added line #L151 was not covered by tests
}

@Override
public boolean equals(Object o) {
if (this == o) return true;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,15 @@ public class SecurityAnalyticsSettings {
Setting.Property.NodeScope, Setting.Property.Dynamic
);

/**
* Setting which enables auto correlations
*/
public static final Setting<Boolean> ENABLE_AUTO_CORRELATIONS = Setting.boolSetting(
"plugins.security_analytics.auto_correlations_enabled",
false,
Setting.Property.NodeScope, Setting.Property.Dynamic
);

public static final Setting<String> DEFAULT_MAPPING_SCHEMA = Setting.simpleString(
"plugins.security_analytics.mappings.default_schema",
"ecs",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,8 @@

private volatile long setupTimestamp;

private volatile boolean enableAutoCorrelation;

@Inject
public TransportCorrelateFindingAction(TransportService transportService,
Client client,
Expand All @@ -118,8 +120,10 @@

this.indexTimeout = SecurityAnalyticsSettings.INDEX_TIMEOUT.get(this.settings);
this.corrTimeWindow = SecurityAnalyticsSettings.CORRELATION_TIME_WINDOW.get(this.settings).getMillis();
this.enableAutoCorrelation = SecurityAnalyticsSettings.ENABLE_AUTO_CORRELATIONS.get(this.settings);

Check warning on line 123 in src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java#L123

Added line #L123 was not covered by tests
this.clusterService.getClusterSettings().addSettingsUpdateConsumer(SecurityAnalyticsSettings.INDEX_TIMEOUT, it -> indexTimeout = it);
this.clusterService.getClusterSettings().addSettingsUpdateConsumer(SecurityAnalyticsSettings.CORRELATION_TIME_WINDOW, it -> corrTimeWindow = it.getMillis());
this.clusterService.getClusterSettings().addSettingsUpdateConsumer(SecurityAnalyticsSettings.ENABLE_AUTO_CORRELATIONS, it -> enableAutoCorrelation = it);

Check warning on line 126 in src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java#L126

Added line #L126 was not covered by tests
this.setupTimestamp = System.currentTimeMillis();
}

Expand Down Expand Up @@ -220,7 +224,7 @@

this.response =new AtomicReference<>();

this.joinEngine = new JoinEngine(client, request, xContentRegistry, corrTimeWindow, this, logTypeService);
this.joinEngine = new JoinEngine(client, request, xContentRegistry, corrTimeWindow, this, logTypeService, enableAutoCorrelation);

Check warning on line 227 in src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java#L227

Added line #L227 was not covered by tests
this.vectorEmbeddingsEngine = new VectorEmbeddingsEngine(client, indexTimeout, corrTimeWindow, this);
}

Expand Down
5 changes: 4 additions & 1 deletion src/main/resources/mappings/finding_mapping.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"dynamic": "strict",
"_meta" : {
"schema_version": 3
"schema_version": 4
},
"properties": {
"schema_version": {
Expand Down Expand Up @@ -46,6 +46,9 @@
"type" : "keyword"
}
}
},
"fields": {
"type": "text"
}
}
},
Expand Down
Loading
Loading