Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add mitre attack based auto-correlations support in correlation engine #532

Merged
merged 2 commits into from
Sep 6, 2023
Merged

add mitre attack based auto-correlations support in correlation engine #532

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f6753ca
add mitre attack based auto-correlations support in correlation engine
sbcd90 Sep 5, 2023
9cd032b
Merge branch 'main' into autocorr
sbcd90 Sep 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
192 changes: 178 additions & 14 deletions src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import org.apache.lucene.search.join.ScoreMode;
import org.opensearch.OpenSearchStatusException;
import org.opensearch.cluster.routing.Preference;
import org.opensearch.commons.alerting.model.DocLevelQuery;
import org.opensearch.core.action.ActionListener;
import org.opensearch.action.search.MultiSearchRequest;
import org.opensearch.action.search.MultiSearchResponse;
Expand All @@ -23,26 +24,32 @@
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.core.xcontent.XContentParser;
import org.opensearch.index.query.BoolQueryBuilder;
import org.opensearch.index.query.MatchQueryBuilder;
import org.opensearch.index.query.NestedQueryBuilder;
import org.opensearch.index.query.QueryBuilders;
import org.opensearch.index.query.RangeQueryBuilder;
import org.opensearch.core.rest.RestStatus;
import org.opensearch.search.SearchHit;
import org.opensearch.search.builder.SearchSourceBuilder;
import org.opensearch.securityanalytics.config.monitors.DetectorMonitorConfig;
import org.opensearch.securityanalytics.logtype.LogTypeService;
import org.opensearch.securityanalytics.model.CorrelationQuery;
import org.opensearch.securityanalytics.model.CorrelationRule;
import org.opensearch.securityanalytics.model.Detector;
import org.opensearch.securityanalytics.transport.TransportCorrelateFindingAction;
import org.opensearch.securityanalytics.util.AutoCorrelationsRepo;

import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;


Expand All @@ -58,18 +65,147 @@

private final TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction;

private final LogTypeService logTypeService;

private static final Logger log = LogManager.getLogger(JoinEngine.class);

public JoinEngine(Client client, PublishFindingsRequest request, NamedXContentRegistry xContentRegistry,
long corrTimeWindow, TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction) {
long corrTimeWindow, TransportCorrelateFindingAction.AsyncCorrelateFindingAction correlateFindingAction,
LogTypeService logTypeService) {

Check warning on line 74 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L74 

Added line #L74 was not covered by tests
this.client = client;
this.request = request;
this.xContentRegistry = xContentRegistry;
this.corrTimeWindow = corrTimeWindow;
this.correlateFindingAction = correlateFindingAction;
this.logTypeService = logTypeService;

Check warning on line 80 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L80 

Added line #L80 was not covered by tests
}

public void onSearchDetectorResponse(Detector detector, Finding finding) {
try {
generateAutoCorrelations(detector, finding);
} catch (IOException ex) {
correlateFindingAction.onFailures(ex);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we log error message that auto correlation has failed

}
}

Check warning on line 89 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L85-L89 

Added lines #L85 - L89 were not covered by tests

@SuppressWarnings("unchecked")
private void generateAutoCorrelations(Detector detector, Finding finding) throws IOException {
Map<String, Set<String>> autoCorrelations = AutoCorrelationsRepo.autoCorrelationsAsMap();
long findingTimestamp = finding.getTimestamp().toEpochMilli();

Check warning on line 94 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L93-L94 

Added lines #L93 - L94 were not covered by tests

Set<String> tags = new HashSet<>();

Check warning on line 96 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L96 

Added line #L96 was not covered by tests
for (DocLevelQuery query : finding.getDocLevelQueries()) {
tags.addAll(query.getTags().stream().filter(tag -> tag.startsWith("attack.")).collect(Collectors.toList()));
}
Set<String> validIntrusionSets = AutoCorrelationsRepo.validIntrusionSets(autoCorrelations, tags);

Check warning on line 100 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L98-L100 

Added lines #L98 - L100 were not covered by tests

MatchQueryBuilder queryBuilder = QueryBuilders.matchQuery("source", "Sigma");

Check warning on line 102 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L102 

Added line #L102 was not covered by tests

SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder();
searchSourceBuilder.query(queryBuilder);
searchSourceBuilder.size(100);

Check warning on line 106 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L104-L106 

Added lines #L104 - L106 were not covered by tests

SearchRequest request = new SearchRequest();
request.source(searchSourceBuilder);
logTypeService.searchLogTypes(request, new ActionListener<>() {

Check warning on line 110 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L108-L110 

Added lines #L108 - L110 were not covered by tests
@Override
public void onResponse(SearchResponse response) {
MultiSearchRequest mSearchRequest = new MultiSearchRequest();
SearchHit[] logTypes = response.getHits().getHits();
List<String> logTypeNames = new ArrayList<>();

Check warning on line 115 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L113-L115 

Added lines #L113 - L115 were not covered by tests
for (SearchHit logType: logTypes) {
String logTypeName = logType.getSourceAsMap().get("name").toString();
logTypeNames.add(logTypeName);

Check warning on line 118 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L117-L118 

Added lines #L117 - L118 were not covered by tests

RangeQueryBuilder queryBuilder = QueryBuilders.rangeQuery("timestamp")
.gte(findingTimestamp - corrTimeWindow)
.lte(findingTimestamp + corrTimeWindow);

Check warning on line 122 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L120-L122 

Added lines #L120 - L122 were not covered by tests

SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder();
searchSourceBuilder.query(queryBuilder);
searchSourceBuilder.size(10000);
searchSourceBuilder.fetchField("queries");
SearchRequest searchRequest = new SearchRequest();
searchRequest.indices(DetectorMonitorConfig.getAllFindingsIndicesPattern(logTypeName));
searchRequest.source(searchSourceBuilder);
searchRequest.preference(Preference.PRIMARY_FIRST.type());
mSearchRequest.add(searchRequest);

Check warning on line 132 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L124-L132 

Added lines #L124 - L132 were not covered by tests
}

if (!mSearchRequest.requests().isEmpty()) {
client.multiSearch(mSearchRequest, new ActionListener<>() {

Check warning on line 136 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L136 

Added line #L136 was not covered by tests
@Override
public void onResponse(MultiSearchResponse items) {
MultiSearchResponse.Item[] responses = items.getResponses();

Check warning on line 139 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L139 

Added line #L139 was not covered by tests

Map<String, List<String>> autoCorrelationsMap = new HashMap<>();
int idx = 0;

Check warning on line 142 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L141-L142 

Added lines #L141 - L142 were not covered by tests
for (MultiSearchResponse.Item response : responses) {
if (response.isFailure()) {
log.info(response.getFailureMessage());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why info log? error or debug would be better. along with description message of what this failure is from?

continue;

Check warning on line 146 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L145-L146 

Added lines #L145 - L146 were not covered by tests
}
String logTypeName = logTypeNames.get(idx);

Check warning on line 148 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L148 

Added line #L148 was not covered by tests

SearchHit[] findings = response.getResponse().getHits().getHits();

Check warning on line 150 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L150 

Added line #L150 was not covered by tests

for (SearchHit foundFinding : findings) {
if (!foundFinding.getId().equals(finding.getId())) {
Set<String> findingTags = new HashSet<>();
List<Map<String, Object>> queries = (List<Map<String, Object>>) foundFinding.getSourceAsMap().get("queries");

Check warning on line 155 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L154-L155 

Added lines #L154 - L155 were not covered by tests
for (Map<String, Object> query : queries) {
List<String> queryTags = (List<String>) query.get("tags");
findingTags.addAll(queryTags.stream().filter(queryTag -> queryTag.startsWith("attack.")).collect(Collectors.toList()));
}

Check warning on line 159 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L157-L159 

Added lines #L157 - L159 were not covered by tests

boolean canCorrelate = false;

Check warning on line 161 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L161 

Added line #L161 was not covered by tests
for (String tag: tags) {
if (findingTags.contains(tag)) {
canCorrelate = true;
break;

Check warning on line 165 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L164-L165 

Added lines #L164 - L165 were not covered by tests
}
}

Check warning on line 167 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L167 

Added line #L167 was not covered by tests

Set<String> foundIntrusionSets = AutoCorrelationsRepo.validIntrusionSets(autoCorrelations, findingTags);

Check warning on line 169 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L169 

Added line #L169 was not covered by tests
for (String validIntrusionSet: validIntrusionSets) {
if (foundIntrusionSets.contains(validIntrusionSet)) {
canCorrelate = true;
break;

Check warning on line 173 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L172-L173 

Added lines #L172 - L173 were not covered by tests
}
}

Check warning on line 175 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L175 

Added line #L175 was not covered by tests

if (canCorrelate) {
if (autoCorrelationsMap.containsKey(logTypeName)) {
autoCorrelationsMap.get(logTypeName).add(foundFinding.getId());

Check warning on line 179 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L179 

Added line #L179 was not covered by tests
} else {
List<String> autoCorrelatedFindings = new ArrayList<>();
autoCorrelatedFindings.add(foundFinding.getId());
autoCorrelationsMap.put(logTypeName, autoCorrelatedFindings);

Check warning on line 183 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L181-L183 

Added lines #L181 - L183 were not covered by tests
}
}
}
}
++idx;

Check warning on line 188 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L188 

Added line #L188 was not covered by tests
}
onAutoCorrelations(detector, finding, autoCorrelationsMap);
}

Check warning on line 191 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L190-L191 

Added lines #L190 - L191 were not covered by tests

@Override
public void onFailure(Exception e) {
correlateFindingAction.onFailures(e);
}

Check warning on line 196 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L195-L196 

Added lines #L195 - L196 were not covered by tests
});
}
}

Check warning on line 199 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L199 

Added line #L199 was not covered by tests

@Override
public void onFailure(Exception e) {
correlateFindingAction.onFailures(e);
}

Check warning on line 204 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L203-L204 

Added lines #L203 - L204 were not covered by tests
});
}

Check warning on line 206 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L206 

Added line #L206 was not covered by tests

private void onAutoCorrelations(Detector detector, Finding finding, Map<String, List<String>> autoCorrelations) {
String detectorType = detector.getDetectorType().toLowerCase(Locale.ROOT);
List<String> indices = detector.getInputs().get(0).getIndices();
List<String> relatedDocIds = finding.getCorrelatedDocIds();
Expand Down Expand Up @@ -113,20 +249,20 @@
}
}

getValidDocuments(detectorType, indices, correlationRules, relatedDocIds);
getValidDocuments(detectorType, indices, correlationRules, relatedDocIds, autoCorrelations);

Check warning on line 252 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L252 

Added line #L252 was not covered by tests
}

@Override
public void onFailure(Exception e) {
correlateFindingAction.onFailures(e);
getValidDocuments(detectorType, indices, List.of(), List.of(), autoCorrelations);

Check warning on line 257 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L257 

Added line #L257 was not covered by tests
}
});
}

/**
* this method checks if the finding to be correlated has valid related docs(or not) which match join criteria.
*/
private void getValidDocuments(String detectorType, List<String> indices, List<CorrelationRule> correlationRules, List<String> relatedDocIds) {
private void getValidDocuments(String detectorType, List<String> indices, List<CorrelationRule> correlationRules, List<String> relatedDocIds, Map<String, List<String>> autoCorrelations) {
MultiSearchRequest mSearchRequest = new MultiSearchRequest();
List<CorrelationRule> validCorrelationRules = new ArrayList<>();

Expand Down Expand Up @@ -189,7 +325,9 @@
}
}
searchFindingsByTimestamp(detectorType, categoryToQueriesMap,
filteredCorrelationRules.stream().map(CorrelationRule::getId).collect(Collectors.toList()));
filteredCorrelationRules.stream().map(CorrelationRule::getId).collect(Collectors.toList()),

Check warning on line 328 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L328 

Added line #L328 was not covered by tests
autoCorrelations
);
}

@Override
Expand All @@ -198,15 +336,19 @@
}
});
} else {
correlateFindingAction.getTimestampFeature(detectorType, null, request.getFinding(), List.of());
if (!autoCorrelations.isEmpty()) {
correlateFindingAction.getTimestampFeature(detectorType, autoCorrelations, null, List.of());

Check warning on line 340 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L340 

Added line #L340 was not covered by tests
} else {
correlateFindingAction.getTimestampFeature(detectorType, null, request.getFinding(), List.of());

Check warning on line 342 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L342 

Added line #L342 was not covered by tests
}
}
}

/**
* this method searches for parent findings given the log category & correlation time window & collects all related docs
* for them.
*/
private void searchFindingsByTimestamp(String detectorType, Map<String, List<CorrelationQuery>> categoryToQueriesMap, List<String> correlationRules) {
private void searchFindingsByTimestamp(String detectorType, Map<String, List<CorrelationQuery>> categoryToQueriesMap, List<String> correlationRules, Map<String, List<String>> autoCorrelations) {
long findingTimestamp = request.getFinding().getTimestamp().toEpochMilli();
MultiSearchRequest mSearchRequest = new MultiSearchRequest();
List<Pair<String, List<CorrelationQuery>>> categoryToQueriesPairs = new ArrayList<>();
Expand Down Expand Up @@ -260,7 +402,7 @@
relatedDocIds));
++idx;
}
searchDocsWithFilterKeys(detectorType, relatedDocsMap, correlationRules);
searchDocsWithFilterKeys(detectorType, relatedDocsMap, correlationRules, autoCorrelations);

Check warning on line 405 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L405 

Added line #L405 was not covered by tests
}

@Override
Expand All @@ -269,14 +411,18 @@
}
});
} else {
correlateFindingAction.getTimestampFeature(detectorType, null, request.getFinding(), correlationRules);
if (!autoCorrelations.isEmpty()) {
correlateFindingAction.getTimestampFeature(detectorType, autoCorrelations, null, List.of());

Check warning on line 415 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L415 

Added line #L415 was not covered by tests
} else {
correlateFindingAction.getTimestampFeature(detectorType, null, request.getFinding(), correlationRules);

Check warning on line 417 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L417 

Added line #L417 was not covered by tests
}
}
}

/**
* Given the related docs from parent findings, this method filters only those related docs which match parent join criteria.
*/
private void searchDocsWithFilterKeys(String detectorType, Map<String, DocSearchCriteria> relatedDocsMap, List<String> correlationRules) {
private void searchDocsWithFilterKeys(String detectorType, Map<String, DocSearchCriteria> relatedDocsMap, List<String> correlationRules, Map<String, List<String>> autoCorrelations) {
MultiSearchRequest mSearchRequest = new MultiSearchRequest();
List<String> categories = new ArrayList<>();

Expand Down Expand Up @@ -324,7 +470,7 @@
filteredRelatedDocIds.put(categories.get(idx), docIds);
++idx;
}
getCorrelatedFindings(detectorType, filteredRelatedDocIds, correlationRules);
getCorrelatedFindings(detectorType, filteredRelatedDocIds, correlationRules, autoCorrelations);

Check warning on line 473 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L473 

Added line #L473 was not covered by tests
}

@Override
Expand All @@ -333,15 +479,19 @@
}
});
} else {
correlateFindingAction.getTimestampFeature(detectorType, null, request.getFinding(), correlationRules);
if (!autoCorrelations.isEmpty()) {
correlateFindingAction.getTimestampFeature(detectorType, autoCorrelations, null, List.of());

Check warning on line 483 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L483 

Added line #L483 was not covered by tests
} else {
correlateFindingAction.getTimestampFeature(detectorType, null, request.getFinding(), correlationRules);

Check warning on line 485 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L485 

Added line #L485 was not covered by tests
}
}
}

/**
* Given the filtered related docs of the parent findings, this method gets the actual filtered parent findings for
* the finding to be correlated.
*/
private void getCorrelatedFindings(String detectorType, Map<String, List<String>> filteredRelatedDocIds, List<String> correlationRules) {
private void getCorrelatedFindings(String detectorType, Map<String, List<String>> filteredRelatedDocIds, List<String> correlationRules, Map<String, List<String>> autoCorrelations) {
long findingTimestamp = request.getFinding().getTimestamp().toEpochMilli();
MultiSearchRequest mSearchRequest = new MultiSearchRequest();
List<String> categories = new ArrayList<>();
Expand Down Expand Up @@ -397,6 +547,16 @@
}
++idx;
}

for (Map.Entry<String, List<String>> autoCorrelation: autoCorrelations.entrySet()) {
if (correlatedFindings.containsKey(autoCorrelation.getKey())) {
Set<String> alreadyCorrelatedFindings = new HashSet<>(correlatedFindings.get(autoCorrelation.getKey()));
alreadyCorrelatedFindings.addAll(autoCorrelation.getValue());
correlatedFindings.put(autoCorrelation.getKey(), new ArrayList<>(alreadyCorrelatedFindings));
} else {
correlatedFindings.put(autoCorrelation.getKey(), autoCorrelation.getValue());

Check warning on line 557 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L553-L557 

Added lines #L553 - L557 were not covered by tests
}
}

Check warning on line 559 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L559 

Added line #L559 was not covered by tests
correlateFindingAction.initCorrelationIndex(detectorType, correlatedFindings, correlationRules);
}

Expand All @@ -406,7 +566,11 @@
}
});
} else {
correlateFindingAction.getTimestampFeature(detectorType, null, request.getFinding(), correlationRules);
if (!autoCorrelations.isEmpty()) {
correlateFindingAction.getTimestampFeature(detectorType, autoCorrelations, null, List.of());

Check warning on line 570 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L570 

Added line #L570 was not covered by tests
} else {
correlateFindingAction.getTimestampFeature(detectorType, null, request.getFinding(), correlationRules);

Check warning on line 572 in src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java#L572 

Added line #L572 was not covered by tests
}
}
}

Expand Down
6 changes: 5 additions & 1 deletion ...main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@

private final CorrelationIndices correlationIndices;

private final LogTypeService logTypeService;

private final ClusterService clusterService;

private final Settings settings;
Expand All @@ -100,6 +102,7 @@
NamedXContentRegistry xContentRegistry,
DetectorIndices detectorIndices,
CorrelationIndices correlationIndices,
LogTypeService logTypeService,
ClusterService clusterService,
Settings settings,
ActionFilters actionFilters) {
Expand All @@ -108,6 +111,7 @@
this.xContentRegistry = xContentRegistry;
this.detectorIndices = detectorIndices;
this.correlationIndices = correlationIndices;
this.logTypeService = logTypeService;

Check warning on line 114 in src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java#L114 

Added line #L114 was not covered by tests
this.clusterService = clusterService;
this.settings = settings;
this.threadPool = this.detectorIndices.getThreadPool();
Expand Down Expand Up @@ -186,7 +190,7 @@

this.response =new AtomicReference<>();

this.joinEngine = new JoinEngine(client, request, xContentRegistry, corrTimeWindow, this);
this.joinEngine = new JoinEngine(client, request, xContentRegistry, corrTimeWindow, this, logTypeService);

Check warning on line 193 in src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java#L193 

Added line #L193 was not covered by tests
this.vectorEmbeddingsEngine = new VectorEmbeddingsEngine(client, indexTimeout, corrTimeWindow, this);
}

Expand Down
Loading
Loading