fixes the duplicate alerts generated by Aggregation Sigma Roles (#1424)

* De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena <[email protected]> * De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena <[email protected]> * De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena <[email protected]> * tests fix Signed-off-by: Riya Saxena <[email protected]> * tests fix Signed-off-by: Riya Saxena <[email protected]> --------- Signed-off-by: Riya Saxena <[email protected]>
opensearch-project · Dec 18, 2024 · 4845337 · 4845337
1 parent 8a4176b
commit 4845337
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/...curityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java b/...curityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java
@@ -202,7 +202,8 @@ private Monitor buildThreatIntelMonitor(IndexThreatIntelMonitorRequest request)
         DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(
                 String.format("threat intel input for monitor named %s", request.getMonitor().getName()),
                 request.getMonitor().getIndices(),
-                Collections.emptyList() // no percolate queries
+                Collections.emptyList(), // no percolate queries
+                true
         );
         List<PerIocTypeScanInput> perIocTypeScanInputs = request.getMonitor().getPerIocTypeScanInputList().stream().map(
                 it -> new PerIocTypeScanInput(it.getIocType(), it.getIndexToFieldsMap())

diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java
@@ -772,7 +772,7 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List<Pair<String, Rule>
             docLevelQueries.add(docLevelQuery);
         }
         docLevelQueries.addAll(threatIntelQueries);
-        DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries);
+        DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries, true);
         docLevelMonitorInputs.add(docLevelMonitorInput);
 
         List<DocumentLevelTrigger> triggers = new ArrayList<>();
@@ -878,7 +878,7 @@ private IndexMonitorRequest createDocLevelMonitorMatchAllRequest(
         );
         docLevelQueries.add(docLevelQuery);
 
-        DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries);
+        DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries, false);
         docLevelMonitorInputs.add(docLevelMonitorInput);
 
         List<DocumentLevelTrigger> triggers = new ArrayList<>();

diff --git a/...ava/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java b/...ava/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java
@@ -50,7 +50,8 @@ public void testThreatInputSerde() throws IOException {
                                 bytes,
                                 new DocLevelMonitorInput("threat intel input",
                                         List.of("index1", "index2"),
-                                        emptyList()
+                                        emptyList(),
+                                        true
                                 )
                         )
                 ),