fix CVE-2023-2976 (opensearch-project#835) (opensearch-project#840)

Signed-off-by: Joanne Wang <[email protected]>
(cherry picked from commit 4d4f5e3)

Co-authored-by: Joanne Wang <[email protected]>

Reduce log level for informative message (opensearch-project#203) (opensearch-project#833)

Signed-off-by: Enrico Tröger <[email protected]>
Co-authored-by: Enrico Tröger <[email protected]>

Updated alert creation following common-utils PR 584. (opensearch-project#837) (opensearch-project#839)

Signed-off-by: AWSHurneyt <[email protected]>
(cherry picked from commit 8adb9c3)

Co-authored-by: AWSHurneyt <[email protected]>

Release notes for 2.12.0 (opensearch-project#834) (opensearch-project#841)

* release notes for 2.12

Signed-off-by: Joanne Wang <[email protected]>

* update release notes

Signed-off-by: Joanne Wang <[email protected]>

* update release notes

Signed-off-by: Joanne Wang <[email protected]>

---------

Signed-off-by: Joanne Wang <[email protected]>
(cherry picked from commit 414484a)

Co-authored-by: Joanne Wang <[email protected]>

Remove blocking calls and change threat intel feed flow to event driven (opensearch-project#871) (opensearch-project#876)

* remove actionGet() and change threat intel feed flow to event driven

Signed-off-by: Surya Sashank Nistala <[email protected]>

* fix javadocs

Signed-off-by: Surya Sashank Nistala <[email protected]>

* revert try catch removals

Signed-off-by: Surya Sashank Nistala <[email protected]>

* use action listener wrap() in detector threat intel code paths

Signed-off-by: Surya Sashank Nistala <[email protected]>

* add try catch

Signed-off-by: Surya Sashank Nistala <[email protected]>

---------

Signed-off-by: Surya Sashank Nistala <[email protected]>
(cherry picked from commit 172d58d)

Co-authored-by: Surya Sashank Nistala <[email protected]>

Fail the flow the when detectot type is missing in the log types index (opensearch-project#845) (opensearch-project#857)

Signed-off-by: Megha Goyal <[email protected]>
(cherry picked from commit 8d19912)

Co-authored-by: Megha Goyal <[email protected]>

[BUG] ArrayIndexOutOfBoundsException for inconsistent detector index behavior  (opensearch-project#843) (opensearch-project#858)

* Catch ArrayIndexOutOfBoundsException when detector is missing

Signed-off-by: Megha Goyal <[email protected]>

* Add a check on SearchHits.getHits() length

Signed-off-by: Megha Goyal <[email protected]>

* Remove index out of bounds exception

Signed-off-by: Megha Goyal <[email protected]>

---------

Signed-off-by: Megha Goyal <[email protected]>
(cherry picked from commit 0ef8543)

Co-authored-by: Megha Goyal <[email protected]>

Backport opensearch-project#873 and opensearch-project#789 (opensearch-project#895)

* support object fields in aggregation based sigma rules (opensearch-project#789)

Signed-off-by: Subhobrata Dey <[email protected]>

* Pass rule field names in doc level queries during monitor/creation. Remove blocking actionGet() calls  (opensearch-project#873)

* pass query field names in doc level queries during monitor creation/updation

Signed-off-by: Surya Sashank Nistala <[email protected]>

* remove actionGet() and change get index mapping call to event driven flow

Signed-off-by: Surya Sashank Nistala <[email protected]>

* fix chained findings monitor

Signed-off-by: Surya Sashank Nistala <[email protected]>

* add finding mappings

Signed-off-by: Surya Sashank Nistala <[email protected]>

* remove test messages from logs

Signed-off-by: Surya Sashank Nistala <[email protected]>

* revert build.gradle change

Signed-off-by: Surya Sashank Nistala <[email protected]>

---------

Signed-off-by: Surya Sashank Nistala <[email protected]>

---------

Signed-off-by: Subhobrata Dey <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: Subhobrata Dey <[email protected]>

Fix duplicate ecs mappings which returns incorrect log index field in mapping view API (opensearch-project#786) (opensearch-project#788) (opensearch-project#898)

* field mapping changes

* add integ test

* turn unmappedfieldaliases as set and add integ test

* add comments

* fix integ tests

* moved logic to method for better readability

---------

Signed-off-by: Joanne Wang <[email protected]>

Add throw for empty strings in rules with modifier contains, startwith, and endswith (opensearch-project#860) (opensearch-project#896)

* add validation for empty strings with contains, startswith and endswith modifiers

* throw exception if empty string with contains, startswith, or endswith

* change var name

* add modifiers to log

---------

Signed-off-by: Joanne Wang <[email protected]>

Add an "exists" check for "not" condition in sigma rules (opensearch-project#852) (opensearch-project#897)

* test design

Signed-off-by: Joanne Wang <[email protected]>

* working version

Signed-off-by: Joanne Wang <[email protected]>

* cleaning up

Signed-off-by: Joanne Wang <[email protected]>

* testing

Signed-off-by: Joanne Wang <[email protected]>

* working version

Signed-off-by: Joanne Wang <[email protected]>

* working version

Signed-off-by: Joanne Wang <[email protected]>

* refactored querybackend

Signed-off-by: Joanne Wang <[email protected]>

* working on tests

Signed-off-by: Joanne Wang <[email protected]>

* fixed alerting and finding tests

Signed-off-by: Joanne Wang <[email protected]>

* fix correlation tests

Signed-off-by: Joanne Wang <[email protected]>

* working all tests

Signed-off-by: Joanne Wang <[email protected]>

* moved test and changed alias for adldap

Signed-off-by: Joanne Wang <[email protected]>

* added more tests

Signed-off-by: Joanne Wang <[email protected]>

* cleanup code

Signed-off-by: Joanne Wang <[email protected]>

* remove exists flag

Signed-off-by: Joanne Wang <[email protected]>

---------

Signed-off-by: Joanne Wang <[email protected]>
(cherry picked from commit 656a5fe)

Co-authored-by: Joanne Wang <[email protected]>

Add goyamegh as a maintainer (opensearch-project#868) (opensearch-project#899)

Signed-off-by: Megha Goyal <[email protected]>

Refactor invocation of Action listeners in correlations (opensearch-project#880) (opensearch-project#900)

* Refactor invocation of Action listeners in correlations

* Close hanging tasks in correlations workflow

* Logging finding id and monitor id in error logs

---------

Signed-off-by: Megha Goyal <[email protected]>

Add search request timeouts for correlations workflows (opensearch-project#893) (opensearch-project#901)

* Reinstating more leaks plugged-in for correlations workflows

Signed-off-by: Megha Goyal <[email protected]>

* Add search timeouts to all correlation searches

Signed-off-by: Megha Goyal <[email protected]>

* Fix logging and exception messages

Signed-off-by: Megha Goyal <[email protected]>

* Change search timeout to 30 seconds

Signed-off-by: Megha Goyal <[email protected]>

---------

Signed-off-by: Megha Goyal <[email protected]>
(cherry picked from commit 75c4429)

Co-authored-by: Megha Goyal <[email protected]>

Author: 2 people

.github/CODEOWNERS

@@ -1 +1 @@
-* @amsiglan @AWSHurneyt @getsaurabh02 @lezzago @praveensameneni @sbcd90 @eirsep @jowg-amazon
+* @amsiglan @AWSHurneyt @getsaurabh02 @lezzago @praveensameneni @sbcd90 @eirsep @jowg-amazon @engechas @goyamegh

MAINTAINERS.md

@@ -14,3 +14,5 @@ This document contains a list of maintainers in this repo. See [opensearch-proje
 | Amardeepsingh Siglani | [amsiglan](https://github.com/amsiglan)               | Amazon      |
 | Saurabh Singh         | [getsaurabh02](https://github.com/getsaurabh02)       | Amazon      |
 | Joanne Wang           | [jowg-amazon](https://github.com/jowg-amazon)         | Amazon      |
+| Chase Engelbrecht     | [engechas](https://github.com/engechas)               | Amazon      |
+| Megha Goyal           | [goyamegh](https://github.com/goyamegh)               | Amazon      |

build.gradle

@@ -151,6 +151,7 @@ configurations {
         resolutionStrategy {
             // for spotless transitive dependency CVE
             force "org.eclipse.platform:org.eclipse.core.runtime:3.29.0"
+            force "com.google.guava:guava:32.1.2-jre"
         }
     }
 }

release-notes/opensearch-security-analytics.release-notes-2.12.0.0.md

@@ -0,0 +1,37 @@
+## Version 2.12.0.0 2024-02-06
+
+Compatible with OpenSearch 2.12.0
+
+### Maintenance
+* Increment to 2.12. ([#771](https://github.com/opensearch-project/security-analytics/pull/771))
+* Onboard prod jenkins docker images to github actions ([#710](https://github.com/opensearch-project/security-analytics/pull/710))
+* Match maintainer account username ([#438](https://github.com/opensearch-project/security-analytics/pull/438))
+* Add to Codeowners ([#726](https://github.com/opensearch-project/security-analytics/pull/726))
+* Fix codeowners to match maintainers ([#783](https://github.com/opensearch-project/security-analytics/pull/783))
+* updated lucene MAX_DIMENSIONS path ([#607](https://github.com/opensearch-project/security-analytics/pull/607))
+* Addresses changes related to default admin credentials ([#832](https://github.com/opensearch-project/security-analytics/pull/832))
+* Upgrade Lucene Codec to Lucene99 + Upgrade to Gradle 8.5 ([#800](https://github.com/opensearch-project/security-analytics/pull/800))
+* fix CVE-2023-2976 ([#835](https://github.com/opensearch-project/security-analytics/pull/835))
+
+### Features
+* Integrate threat intel feeds ([#669](https://github.com/opensearch-project/security-analytics/pull/669))
+
+### Bug Fixes
+* Fix for doc level query constructor change ([#651](https://github.com/opensearch-project/security-analytics/pull/651))
+* Make threat intel async ([#703](https://github.com/opensearch-project/security-analytics/pull/703))
+* Return empty response for empty mappings and no applied aliases ([#724](https://github.com/opensearch-project/security-analytics/pull/724))
+* Fix threat intel plugin integ test ([#774](https://github.com/opensearch-project/security-analytics/pull/774))
+* Use a common constant to specify the version for log type mappings ([#708](https://github.com/opensearch-project/security-analytics/pull/734))
+* Sigma keywords field not handled correctly ([#725](https://github.com/opensearch-project/security-analytics/pull/725))
+* Allow updation/deletion of custom log type if custom rule index is missing ([#767](https://github.com/opensearch-project/security-analytics/pull/767))
+* Delete detector successfully if workflow is missing ([#790](https://github.com/opensearch-project/security-analytics/pull/790))
+* fix null query filter conversion from sigma to query string query ([#722](https://github.com/opensearch-project/security-analytics/pull/722))
+* add field based rules support in correlation engine ([#737](https://github.com/opensearch-project/security-analytics/pull/737))
+* Reduce log level for informative message ([#203](https://github.com/opensearch-project/security-analytics/pull/203))
+
+### Refactor
+* Refactored alert tests ([#837](https://github.com/opensearch-project/security-analytics/pull/837))
+
+### Documentation
+* Added 2.12.0 release notes. ([#834](https://github.com/opensearch-project/security-analytics/pull/834))
+* Add developer guide ([#791](https://github.com/opensearch-project/security-analytics/pull/791))

src/main/generated/org/opensearch/securityanalytics/rules/condition/aggregation/AggregationLexer.java

@@ -129,50 +129,50 @@ public AggregationLexer(CharStream input) {
         "\u0001\u000f\u0001\u000f\u0000\u0000\u0010\u0001\u0001\u0003\u0002\u0005"+
         "\u0003\u0007\u0004\t\u0005\u000b\u0006\r\u0007\u000f\b\u0011\t\u0013\n"+
         "\u0015\u000b\u0017\f\u0019\r\u001b\u000e\u001d\u000f\u001f\u0010\u0001"+
-        "\u0000\u0004\u0001\u000009\u0004\u0000**AZ__az\u0004\u000009AZ__az\u0003"+
-        "\u0000\t\n\f\r  n\u0000\u0001\u0001\u0000\u0000\u0000\u0000\u0003\u0001"+
-        "\u0000\u0000\u0000\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0007\u0001"+
-        "\u0000\u0000\u0000\u0000\t\u0001\u0000\u0000\u0000\u0000\u000b\u0001\u0000"+
-        "\u0000\u0000\u0000\r\u0001\u0000\u0000\u0000\u0000\u000f\u0001\u0000\u0000"+
-        "\u0000\u0000\u0011\u0001\u0000\u0000\u0000\u0000\u0013\u0001\u0000\u0000"+
-        "\u0000\u0000\u0015\u0001\u0000\u0000\u0000\u0000\u0017\u0001\u0000\u0000"+
-        "\u0000\u0000\u0019\u0001\u0000\u0000\u0000\u0000\u001b\u0001\u0000\u0000"+
-        "\u0000\u0000\u001d\u0001\u0000\u0000\u0000\u0000\u001f\u0001\u0000\u0000"+
-        "\u0000\u0001!\u0001\u0000\u0000\u0000\u0003#\u0001\u0000\u0000\u0000\u0005"+
-        "&\u0001\u0000\u0000\u0000\u0007(\u0001\u0000\u0000\u0000\t+\u0001\u0000"+
-        "\u0000\u0000\u000b.\u0001\u0000\u0000\u0000\r4\u0001\u0000\u0000\u0000"+
-        "\u000f8\u0001\u0000\u0000\u0000\u0011<\u0001\u0000\u0000\u0000\u0013@"+
-        "\u0001\u0000\u0000\u0000\u0015D\u0001\u0000\u0000\u0000\u0017G\u0001\u0000"+
-        "\u0000\u0000\u0019I\u0001\u0000\u0000\u0000\u001bL\u0001\u0000\u0000\u0000"+
-        "\u001d[\u0001\u0000\u0000\u0000\u001fc\u0001\u0000\u0000\u0000!\"\u0005"+
-        ">\u0000\u0000\"\u0002\u0001\u0000\u0000\u0000#$\u0005>\u0000\u0000$%\u0005"+
-        "=\u0000\u0000%\u0004\u0001\u0000\u0000\u0000&\'\u0005<\u0000\u0000\'\u0006"+
-        "\u0001\u0000\u0000\u0000()\u0005<\u0000\u0000)*\u0005=\u0000\u0000*\b"+
-        "\u0001\u0000\u0000\u0000+,\u0005=\u0000\u0000,-\u0005=\u0000\u0000-\n"+
-        "\u0001\u0000\u0000\u0000./\u0005c\u0000\u0000/0\u0005o\u0000\u000001\u0005"+
-        "u\u0000\u000012\u0005n\u0000\u000023\u0005t\u0000\u00003\f\u0001\u0000"+
-        "\u0000\u000045\u0005s\u0000\u000056\u0005u\u0000\u000067\u0005m\u0000"+
-        "\u00007\u000e\u0001\u0000\u0000\u000089\u0005m\u0000\u00009:\u0005i\u0000"+
-        "\u0000:;\u0005n\u0000\u0000;\u0010\u0001\u0000\u0000\u0000<=\u0005m\u0000"+
-        "\u0000=>\u0005a\u0000\u0000>?\u0005x\u0000\u0000?\u0012\u0001\u0000\u0000"+
-        "\u0000@A\u0005a\u0000\u0000AB\u0005v\u0000\u0000BC\u0005g\u0000\u0000"+
-        "C\u0014\u0001\u0000\u0000\u0000DE\u0005b\u0000\u0000EF\u0005y\u0000\u0000"+
-        "F\u0016\u0001\u0000\u0000\u0000GH\u0005(\u0000\u0000H\u0018\u0001\u0000"+
-        "\u0000\u0000IJ\u0005)\u0000\u0000J\u001a\u0001\u0000\u0000\u0000KM\u0005"+
-        "-\u0000\u0000LK\u0001\u0000\u0000\u0000LM\u0001\u0000\u0000\u0000MO\u0001"+
-        "\u0000\u0000\u0000NP\u0007\u0000\u0000\u0000ON\u0001\u0000\u0000\u0000"+
-        "PQ\u0001\u0000\u0000\u0000QO\u0001\u0000\u0000\u0000QR\u0001\u0000\u0000"+
-        "\u0000RY\u0001\u0000\u0000\u0000SU\u0005.\u0000\u0000TV\u0007\u0000\u0000"+
-        "\u0000UT\u0001\u0000\u0000\u0000VW\u0001\u0000\u0000\u0000WU\u0001\u0000"+
-        "\u0000\u0000WX\u0001\u0000\u0000\u0000XZ\u0001\u0000\u0000\u0000YS\u0001"+
-        "\u0000\u0000\u0000YZ\u0001\u0000\u0000\u0000Z\u001c\u0001\u0000\u0000"+
-        "\u0000[_\u0007\u0001\u0000\u0000\\^\u0007\u0002\u0000\u0000]\\\u0001\u0000"+
-        "\u0000\u0000^a\u0001\u0000\u0000\u0000_]\u0001\u0000\u0000\u0000_`\u0001"+
-        "\u0000\u0000\u0000`\u001e\u0001\u0000\u0000\u0000a_\u0001\u0000\u0000"+
-        "\u0000bd\u0007\u0003\u0000\u0000cb\u0001\u0000\u0000\u0000de\u0001\u0000"+
-        "\u0000\u0000ec\u0001\u0000\u0000\u0000ef\u0001\u0000\u0000\u0000fg\u0001"+
-        "\u0000\u0000\u0000gh\u0006\u000f\u0000\u0000h \u0001\u0000\u0000\u0000"+
-        "\u0007\u0000LQWY_e\u0001\u0006\u0000\u0000";
+        "\u0000\u0004\u0001\u000009\u0005\u0000**..AZ__az\u0005\u0000..09AZ__a"+
+        "z\u0003\u0000\t\n\f\r  n\u0000\u0001\u0001\u0000\u0000\u0000\u0000\u0003"+
+        "\u0001\u0000\u0000\u0000\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0007"+
+        "\u0001\u0000\u0000\u0000\u0000\t\u0001\u0000\u0000\u0000\u0000\u000b\u0001"+
+        "\u0000\u0000\u0000\u0000\r\u0001\u0000\u0000\u0000\u0000\u000f\u0001\u0000"+
+        "\u0000\u0000\u0000\u0011\u0001\u0000\u0000\u0000\u0000\u0013\u0001\u0000"+
+        "\u0000\u0000\u0000\u0015\u0001\u0000\u0000\u0000\u0000\u0017\u0001\u0000"+
+        "\u0000\u0000\u0000\u0019\u0001\u0000\u0000\u0000\u0000\u001b\u0001\u0000"+
+        "\u0000\u0000\u0000\u001d\u0001\u0000\u0000\u0000\u0000\u001f\u0001\u0000"+
+        "\u0000\u0000\u0001!\u0001\u0000\u0000\u0000\u0003#\u0001\u0000\u0000\u0000"+
+        "\u0005&\u0001\u0000\u0000\u0000\u0007(\u0001\u0000\u0000\u0000\t+\u0001"+
+        "\u0000\u0000\u0000\u000b.\u0001\u0000\u0000\u0000\r4\u0001\u0000\u0000"+
+        "\u0000\u000f8\u0001\u0000\u0000\u0000\u0011<\u0001\u0000\u0000\u0000\u0013"+
+        "@\u0001\u0000\u0000\u0000\u0015D\u0001\u0000\u0000\u0000\u0017G\u0001"+
+        "\u0000\u0000\u0000\u0019I\u0001\u0000\u0000\u0000\u001bL\u0001\u0000\u0000"+
+        "\u0000\u001d[\u0001\u0000\u0000\u0000\u001fc\u0001\u0000\u0000\u0000!"+
+        "\"\u0005>\u0000\u0000\"\u0002\u0001\u0000\u0000\u0000#$\u0005>\u0000\u0000"+
+        "$%\u0005=\u0000\u0000%\u0004\u0001\u0000\u0000\u0000&\'\u0005<\u0000\u0000"+
+        "\'\u0006\u0001\u0000\u0000\u0000()\u0005<\u0000\u0000)*\u0005=\u0000\u0000"+
+        "*\b\u0001\u0000\u0000\u0000+,\u0005=\u0000\u0000,-\u0005=\u0000\u0000"+
+        "-\n\u0001\u0000\u0000\u0000./\u0005c\u0000\u0000/0\u0005o\u0000\u0000"+
+        "01\u0005u\u0000\u000012\u0005n\u0000\u000023\u0005t\u0000\u00003\f\u0001"+
+        "\u0000\u0000\u000045\u0005s\u0000\u000056\u0005u\u0000\u000067\u0005m"+
+        "\u0000\u00007\u000e\u0001\u0000\u0000\u000089\u0005m\u0000\u00009:\u0005"+
+        "i\u0000\u0000:;\u0005n\u0000\u0000;\u0010\u0001\u0000\u0000\u0000<=\u0005"+
+        "m\u0000\u0000=>\u0005a\u0000\u0000>?\u0005x\u0000\u0000?\u0012\u0001\u0000"+
+        "\u0000\u0000@A\u0005a\u0000\u0000AB\u0005v\u0000\u0000BC\u0005g\u0000"+
+        "\u0000C\u0014\u0001\u0000\u0000\u0000DE\u0005b\u0000\u0000EF\u0005y\u0000"+
+        "\u0000F\u0016\u0001\u0000\u0000\u0000GH\u0005(\u0000\u0000H\u0018\u0001"+
+        "\u0000\u0000\u0000IJ\u0005)\u0000\u0000J\u001a\u0001\u0000\u0000\u0000"+
+        "KM\u0005-\u0000\u0000LK\u0001\u0000\u0000\u0000LM\u0001\u0000\u0000\u0000"+
+        "MO\u0001\u0000\u0000\u0000NP\u0007\u0000\u0000\u0000ON\u0001\u0000\u0000"+
+        "\u0000PQ\u0001\u0000\u0000\u0000QO\u0001\u0000\u0000\u0000QR\u0001\u0000"+
+        "\u0000\u0000RY\u0001\u0000\u0000\u0000SU\u0005.\u0000\u0000TV\u0007\u0000"+
+        "\u0000\u0000UT\u0001\u0000\u0000\u0000VW\u0001\u0000\u0000\u0000WU\u0001"+
+        "\u0000\u0000\u0000WX\u0001\u0000\u0000\u0000XZ\u0001\u0000\u0000\u0000"+
+        "YS\u0001\u0000\u0000\u0000YZ\u0001\u0000\u0000\u0000Z\u001c\u0001\u0000"+
+        "\u0000\u0000[_\u0007\u0001\u0000\u0000\\^\u0007\u0002\u0000\u0000]\\\u0001"+
+        "\u0000\u0000\u0000^a\u0001\u0000\u0000\u0000_]\u0001\u0000\u0000\u0000"+
+        "_`\u0001\u0000\u0000\u0000`\u001e\u0001\u0000\u0000\u0000a_\u0001\u0000"+
+        "\u0000\u0000bd\u0007\u0003\u0000\u0000cb\u0001\u0000\u0000\u0000de\u0001"+
+        "\u0000\u0000\u0000ec\u0001\u0000\u0000\u0000ef\u0001\u0000\u0000\u0000"+
+        "fg\u0001\u0000\u0000\u0000gh\u0006\u000f\u0000\u0000h \u0001\u0000\u0000"+
+        "\u0000\u0007\u0000LQWY_e\u0001\u0006\u0000\u0000";
     public static final ATN _ATN =
         new ATNDeserializer().deserialize(_serializedATN.toCharArray());
     static {

src/main/grammars/Aggregation.g4

@@ -21,7 +21,7 @@ RPAREN : ')' ;
 
 DECIMAL : '-'?[0-9]+('.'[0-9]+)? ;
 
-IDENTIFIER : [a-zA-Z*_][a-zA-Z_0-9]* ;
+IDENTIFIER : [a-zA-Z*_.][a-zA-Z_0-9.]* ;
 WS : [ \r\t\u000C\n]+ -> skip ;
 
 comparison_expr : comparison_operand comp_operator comparison_operand   # ComparisonExpressionWithOperator