fix for detectors with sigma aggregation rules #1372
Conversation
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
sbcd90
requested review from
amsiglan,
AWSHurneyt,
getsaurabh02,
lezzago,
praveensameneni,
eirsep,
jowg-amazon,
engechas,
goyamegh and
riysaxen-amzn
as code owners
| @@ -2153,6 +2157,109 @@ public void testCreateDetectorWithCloudtrailAggrRuleWithEcsFields() throws IOExc | |||
| assertEquals(1, getFindingsBody.get("total_findings")); | |||
| } | |||
|
|
|||
| @SuppressWarnings("unchecked") | |||
| public void testCreateDetectorWithCloudtrailAggrRuleWithRolloverIndexAliases() throws IOException, InterruptedException { | |||
| updateClusterSetting("plugins.security_analytics.enable_detectors_with_dedicated_query_indices", "false"); | |||
There was a problem hiding this comment.
why do we turn off this setting?
There was a problem hiding this comment.
plz change to true as that's the new default behaviour
There was a problem hiding this comment.
yes. sorry. leftover from some experiments.
| assertEquals(1, getFindingsBody.get("total_findings")); | ||
|
|
||
| doRollover("ocsf_ct"); | ||
| Thread.sleep(90000); |
There was a problem hiding this comment.
why should we do sleep?
after rollover is the template not applied to new index directly?
There was a problem hiding this comment.
The Sigma Aggregation Rule we're using has timeframe set to 1m(
sleep ensures that the rule only considers docs from the rolled over new write index. If this fix is not present, the alerting workflow run doesn't generate the new finding.
| doRollover("ocsf_ct"); | ||
| Thread.sleep(90000); | ||
|
|
||
| indexDoc("ocsf_ct", "4", randomCloudtrailOcsfDoc()); |
There was a problem hiding this comment.
before this should we not verify mappings of new write index?
There was a problem hiding this comment.
mappings of the first write index are verified with the first workflow run.
.If alias mappings are not applied, findings will not be generated.There was a problem hiding this comment.
But i thought the bug was that AFTER rollover the template is not getting applied?
Yes. Template is applied at creation time with the |
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
| @@ -115,13 +115,22 @@ public void upsertIndexTemplateWithAliasMappings( | |||
|
|
|||
| upsertComponentTemplateStepListener.whenComplete( acknowledgedResponse -> { | |||
|
|
|||
| // Find template which matches input index best | |||
| // Find template which matches input index best. starts by directly matching with input index and | |||
There was a problem hiding this comment.
let's use doc comments for these lines instead -> https://www.oracle.com/technical-resources/articles/java/javadoc-tool.html
There was a problem hiding this comment.
will address this in a follow-up pr.
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> (cherry picked from commit 6f543b5) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> (cherry picked from commit 6f543b5) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> (cherry picked from commit 6f543b5) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
(cherry picked from commit 6f543b5) Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
(cherry picked from commit 6f543b5) Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
(cherry picked from commit 6f543b5) Signed-off-by: Subhobrata Dey <sbcd90@gmail.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
fix for detectors with sigma aggregation rules
Related Issues
Resolves #[Issue number to be closed when this PR is merged]
Check List
--signoff.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.