From 6e51969e5cc642be68cc625f8dc6f33ac7596d39 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 19 Dec 2024 22:55:16 +0000 Subject: [PATCH] fixes the duplicate alerts generated by Aggregation Sigma Roles (#1424) * De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena * De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena * De-dupe Alerts generated by Aggregation Sigma Rules fix Signed-off-by: Riya Saxena * tests fix Signed-off-by: Riya Saxena * tests fix Signed-off-by: Riya Saxena --------- Signed-off-by: Riya Saxena (cherry picked from commit 4845337ef2dfc8123a25056e9faa125873573c75) Signed-off-by: github-actions[bot] --- .../monitor/TransportIndexThreatIntelMonitorAction.java | 3 ++- .../transport/TransportIndexDetectorAction.java | 4 ++-- .../threatIntel/model/monitor/ThreatIntelInputTests.java | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java index 3edb6ea94..2945bd733 100644 --- a/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/threatIntel/transport/monitor/TransportIndexThreatIntelMonitorAction.java @@ -202,7 +202,8 @@ private Monitor buildThreatIntelMonitor(IndexThreatIntelMonitorRequest request) DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput( String.format("threat intel input for monitor named %s", request.getMonitor().getName()), request.getMonitor().getIndices(), - Collections.emptyList() // no percolate queries + Collections.emptyList(), // no percolate queries + true ); List perIocTypeScanInputs = request.getMonitor().getPerIocTypeScanInputList().stream().map( it -> new PerIocTypeScanInput(it.getIocType(), it.getIndexToFieldsMap()) diff --git a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java index 28ec5fcd8..fd22bc25e 100644 --- a/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java +++ b/src/main/java/org/opensearch/securityanalytics/transport/TransportIndexDetectorAction.java @@ -767,7 +767,7 @@ private IndexMonitorRequest createDocLevelMonitorRequest(List docLevelQueries.add(docLevelQuery); } docLevelQueries.addAll(threatIntelQueries); - DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries); + DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries, true); docLevelMonitorInputs.add(docLevelMonitorInput); List triggers = new ArrayList<>(); @@ -868,7 +868,7 @@ private IndexMonitorRequest createDocLevelMonitorMatchAllRequest( ); docLevelQueries.add(docLevelQuery); - DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries); + DocLevelMonitorInput docLevelMonitorInput = new DocLevelMonitorInput(detector.getName(), detector.getInputs().get(0).getIndices(), docLevelQueries, false); docLevelMonitorInputs.add(docLevelMonitorInput); List triggers = new ArrayList<>(); diff --git a/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java b/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java index def2b21e5..03c98a2a7 100644 --- a/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java +++ b/src/test/java/org/opensearch/securityanalytics/threatIntel/model/monitor/ThreatIntelInputTests.java @@ -50,7 +50,8 @@ public void testThreatInputSerde() throws IOException { bytes, new DocLevelMonitorInput("threat intel input", List.of("index1", "index2"), - emptyList() + emptyList(), + true ) ) ),