Skip to content

Commit

Permalink
De-dupe Alerts generated by Aggregation Sigma Rules fix
Browse files Browse the repository at this point in the history
Signed-off-by: Riya Saxena <[email protected]>
  • Loading branch information
riysaxen-amzn committed Dec 17, 2024
1 parent 2a9646e commit bdd3f00
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,8 @@ private Monitor buildThreatIntelMonitor(IndexThreatIntelMonitorRequest request)
new DataSources(),
false,
null,
PLUGIN_OWNER_FIELD
PLUGIN_OWNER_FIELD,
true
);
} catch (Exception e) {
String error = "Error occurred while parsing monitor.";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -471,6 +471,8 @@ public void onResponse(Map<String, Map<String, String>> ruleFieldMappings) {
@Override
public void onResponse(Collection<IndexMonitorRequest> indexMonitorRequests) {
if (detector.getRuleIdMonitorIdMap().containsKey(CHAINED_FINDINGS_MONITOR_STRING)) {
// set the toggle flag disable

String cmfId = detector.getRuleIdMonitorIdMap().get(CHAINED_FINDINGS_MONITOR_STRING);
if (shouldAddChainedFindingDocMonitor(indexMonitorRequests.isEmpty(), rulesById)) {
monitorsToBeUpdated.add(createDocLevelMonitorMatchAllRequest(detector, RefreshPolicy.IMMEDIATE, cmfId, Method.PUT, rulesById));
Expand Down Expand Up @@ -797,7 +799,7 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List<Pair<String, Rule>
detector.getAlertsHistoryIndex(),
detector.getAlertsHistoryIndexPattern(),
DetectorMonitorConfig.getRuleIndexMappingsByType(),
true), enableDetectorWithDedicatedQueryIndices, null, PLUGIN_OWNER_FIELD);
true), enableDetectorWithDedicatedQueryIndices, null, PLUGIN_OWNER_FIELD, true);

return new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null);
}
Expand Down Expand Up @@ -902,7 +904,7 @@ private IndexMonitorRequest createDocLevelMonitorMatchAllRequest(
detector.getAlertsHistoryIndex(),
detector.getAlertsHistoryIndexPattern(),
DetectorMonitorConfig.getRuleIndexMappingsByType(),
true), enableDetectorWithDedicatedQueryIndices, true, PLUGIN_OWNER_FIELD);
true), enableDetectorWithDedicatedQueryIndices, true, PLUGIN_OWNER_FIELD, false);

return new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null);
}
Expand Down Expand Up @@ -1078,7 +1080,7 @@ public void onResponse(GetIndexMappingsResponse getIndexMappingsResponse) {
detector.getAlertsHistoryIndex(),
detector.getAlertsHistoryIndexPattern(),
DetectorMonitorConfig.getRuleIndexMappingsByType(),
true), false, null, PLUGIN_OWNER_FIELD);
true), false, null, PLUGIN_OWNER_FIELD, true);

listener.onResponse(new IndexMonitorRequest(monitorId, SequenceNumbers.UNASSIGNED_SEQ_NO, SequenceNumbers.UNASSIGNED_PRIMARY_TERM, refreshPolicy, restMethod, monitor, null));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,8 @@ public void testGetAlerts_success() {
new DataSources(),
true,
null,
TransportIndexDetectorAction.PLUGIN_OWNER_FIELD
TransportIndexDetectorAction.PLUGIN_OWNER_FIELD,
true
),
new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")),
List.of("finding_id_1"),
Expand Down Expand Up @@ -133,7 +134,8 @@ public void testGetAlerts_success() {
new DataSources(),
true,
null,
TransportIndexDetectorAction.PLUGIN_OWNER_FIELD
TransportIndexDetectorAction.PLUGIN_OWNER_FIELD,
true
),
new DocumentLevelTrigger("trigger_id_1", "my_trigger", "severity_low", List.of(), new Script("")),
List.of("finding_id_1"),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,8 @@ public void testThreatInputSerde() throws IOException {
new DataSources(),
false,
null,
"security_analytics"
"security_analytics",
true
);
BytesStreamOutput monitorOut = new BytesStreamOutput();
monitor.writeTo(monitorOut);
Expand Down

0 comments on commit bdd3f00

Please sign in to comment.