Skip to content

Correlate findings in batches #1539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 0 commits into from
Closed

Correlate findings in batches #1539

wants to merge 0 commits into from

Conversation

toepkerd
Copy link
Collaborator

@toepkerd toepkerd commented Jun 12, 2025
edited
Loading

Description

Correlations now correlates findings in batches synchronously instead of starting a task for each individual finding. Also performs some prechecks before even correlating in the first place:

  1. is auto correlations setting enabled
  2. does correlation rules index exist
  3. is correlation rules index not empty

For Reviewers

The only file with meaningful changes is TransportCorrelateFindingAction.java, below is a guide to direct your attention to the most important changes:

  • Lines 153-181: prechecks before running correlations at all
  • Lines 303-313: synchronous and timeboxed correlations of findings
  • Lines 558-574: changes to onFailure and onOperation (correlation's version of onSuccess) functionality to support new batch correlations

Related Issues

#1537

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • [N/A] API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • [N/A] Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

eirsep
eirsep reviewed Jun 12, 2025
View reviewed changes
build.gradle
implementation 'net.minidev:json-smart:2.5.2'
implementation 'net.minidev:accessors-smart:2.5.2'
compileOnly "com.google.guava:guava:32.1.3-jre"
implementation "com.google.guava:guava:32.1.3-jre"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need this?

@toepkerd toepkerd marked this pull request as ready for review June 12, 2025 23:29
@toepkerd toepkerd force-pushed the main branch 2 times, most recently from 0bc76a3 to d695bee Compare June 17, 2025 18:17
eirsep
eirsep requested changes Jun 18, 2025
View reviewed changes
src/main/java/org/opensearch/securityanalytics/transport/TransportCorrelateFindingAction.java
this.client = client;
this.xContentRegistry = xContentRegistry;
this.detectorIndices = detectorIndices;
this.correlationIndices = correlationIndices;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update this name

@toepkerd toepkerd closed this Jul 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eirsep eirsep eirsep requested changes

@amsiglan amsiglan Awaiting requested review from amsiglan

@AWSHurneyt AWSHurneyt Awaiting requested review from AWSHurneyt

@getsaurabh02 getsaurabh02 Awaiting requested review from getsaurabh02

@lezzago lezzago Awaiting requested review from lezzago

@praveensameneni praveensameneni Awaiting requested review from praveensameneni

@sbcd90 sbcd90 Awaiting requested review from sbcd90

@jowg-amazon jowg-amazon Awaiting requested review from jowg-amazon

@engechas engechas Awaiting requested review from engechas

@goyamegh goyamegh Awaiting requested review from goyamegh

@riysaxen-amzn riysaxen-amzn Awaiting requested review from riysaxen-amzn

Assignees

No one assigned

Labels

backport 2.x backport 2.19

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@toepkerd @eirsep