Skip to content

Correlate findings in batches #1539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Correlate findings in batches #1539

wants to merge 15 commits into from

Conversation

toepkerd
Copy link
Contributor

@toepkerd toepkerd commented Jun 12, 2025
edited
Loading

Description

Correlations now correlates findings in batches synchronously instead of starting a task for each individual finding. Also performs some prechecks before even correlating in the first place:

  1. is auto correlations setting enabled
  2. does correlation rules index exist
  3. is correlation rules index not empty

For Reviewers

The only file with meaningful changes is TransportCorrelateFindingAction.java, below is a guide to direct your attention to the most important changes:

  • Lines 153-181: prechecks before running correlations at all
  • Lines 303-313: synchronous and timeboxed correlations of findings
  • Lines 558-574: changes to onFailure and onOperation (correlation's version of onSuccess) functionality to support new batch correlations

Related Issues

#1537

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • [N/A] API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • [N/A] Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

eirsep
eirsep reviewed Jun 12, 2025
View reviewed changes
build.gradle Outdated
@@ -210,7 +210,7 @@ dependencies {
implementation 'com.jayway.jsonpath:json-path:2.9.0'
implementation 'net.minidev:json-smart:2.5.2'
implementation 'net.minidev:accessors-smart:2.5.2'
compileOnly "com.google.guava:guava:32.1.3-jre"
implementation "com.google.guava:guava:32.1.3-jre"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need this?

@toepkerd toepkerd marked this pull request as ready for review June 12, 2025 23:29
pranu2502 and others added 8 commits June 17, 2025 11:17
@pranu2502 @toepkerd-zz
Fix build due to phasing off SecurityManager usage in favor of Java A…
54c6baa 
…gent (opensearch-project#1504)

Signed-off-by: Dennis Toepker <[email protected]>
@pranu2502 @toepkerd-zz
Using java-agent gradle plugin to phase off Security Manager in favor…
5933b72 
… of Java-agent. (opensearch-project#1505)

* Revert "Fix build due to phasing off SecurityManager usage in favor of Java Agent (opensearch-project#1504)"

This reverts commit d6ddd5b.

Signed-off-by: Pranav Reddy <[email protected]>

* Using java-agent gradle plugin to phase off Security Manager in favor of Java-agent.

Signed-off-by: Pranav Reddy <[email protected]>

---------

Signed-off-by: Pranav Reddy <[email protected]>
Signed-off-by: Dennis Toepker <[email protected]>
@vikhy-aws @toepkerd-zz
Add updateVersion task (opensearch-project#1511)
1216299 
Signed-off-by: vikhy-aws <[email protected]>
Signed-off-by: Dennis Toepker <[email protected]>
@opensearch-trigger-bot @github-actions @toepkerd-zz
Remove beta1 qualifier (opensearch-project#1519) (opensearch-project#…
5d46089 
…1520)

(cherry picked from commit e4fc510)

Signed-off-by: Peter Zhu <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: Dennis Toepker <[email protected]>
@opensearch-trigger-bot @opensearch-ci-bot
@peterzhuamazon @toepkerd-zz
Increment version to 3.1.0-SNAPSHOT (opensearch-project#1517)
b45cdc6 
Signed-off-by: opensearch-ci-bot <[email protected]>
Co-authored-by: opensearch-ci-bot <[email protected]>
Co-authored-by: Peter Zhu <[email protected]>
Signed-off-by: Dennis Toepker <[email protected]>
@riysaxen-amzn @peterzhuamazon @toepkerd-zz
added release notes for 3.0 (opensearch-project#1523)
7f7b802 
* added release notes for 3.0

Signed-off-by: Riya Saxena <[email protected]>

* added release notes for 3.0

Signed-off-by: Riya Saxena <[email protected]>

* Update opensearch-security-analytics.release-notes-3.0.0.0.md

Signed-off-by: Peter Zhu <[email protected]>

---------

Signed-off-by: Riya Saxena <[email protected]>
Signed-off-by: Peter Zhu <[email protected]>
Co-authored-by: Peter Zhu <[email protected]>
Signed-off-by: Dennis Toepker <[email protected]>
@cwperks @toepkerd-zz
Switch guava deps from compileOnly to implementation (opensearch-proj…
affaee5 
…ect#1530)

* Switch guava deps from compileOnly to implementation

Signed-off-by: Craig Perkins <[email protected]>

* Use AccessController

Signed-off-by: Craig Perkins <[email protected]>

* Use getResource

Signed-off-by: Craig Perkins <[email protected]>

* Use getResourceAsStream

Signed-off-by: Craig Perkins <[email protected]>

* Try removing lead forward slash

Signed-off-by: Craig Perkins <[email protected]>

---------

Signed-off-by: Craig Perkins <[email protected]>
Signed-off-by: Dennis Toepker <[email protected]>
@toepkerd-zz
correlating findings in batches
d695bee 
Signed-off-by: Dennis Toepker <[email protected]>
eirsep
eirsep requested changes Jun 18, 2025
View reviewed changes
src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java
@@ -116,6 +125,7 @@ public TransportCorrelateFindingAction(TransportService transportService,
this.xContentRegistry = xContentRegistry;
this.detectorIndices = detectorIndices;
this.correlationIndices = correlationIndices;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update this name

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eirsep eirsep eirsep requested changes

@amsiglan amsiglan Awaiting requested review from amsiglan amsiglan is a code owner

@AWSHurneyt AWSHurneyt Awaiting requested review from AWSHurneyt AWSHurneyt is a code owner

@getsaurabh02 getsaurabh02 Awaiting requested review from getsaurabh02 getsaurabh02 is a code owner

@lezzago lezzago Awaiting requested review from lezzago lezzago is a code owner

@praveensameneni praveensameneni Awaiting requested review from praveensameneni praveensameneni is a code owner

@sbcd90 sbcd90 Awaiting requested review from sbcd90 sbcd90 is a code owner

@jowg-amazon jowg-amazon Awaiting requested review from jowg-amazon jowg-amazon is a code owner

@engechas engechas Awaiting requested review from engechas engechas is a code owner

@goyamegh goyamegh Awaiting requested review from goyamegh goyamegh is a code owner

@riysaxen-amzn riysaxen-amzn Awaiting requested review from riysaxen-amzn riysaxen-amzn is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
backport 2.x backport 2.19
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@toepkerd @eirsep @pranu2502 @vikhy-aws @riysaxen-amzn @cwperks @toepkerd-zz