Skip to content

Pex 552/on demand detection triggers #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cmcginley-splunk merged 21 commits into from
Jul 9, 2025
Merged

Pex 552/on demand detection triggers #416

cmcginley-splunk merged 21 commits into from
Jul 9, 2025

Conversation

@pyth0n1c
Copy link
Contributor

@pyth0n1c pyth0n1c commented Jun 16, 2025

For integration testing, instead of scheduling a savedsearch to run and waiting a predefined amount of time, use the API to call the search right away. This can be a significant improvement in terms of the amount of time spent waiting for RBA/Notable artifacts to be generated.

pyth0n1c
pyth0n1c commented Jun 16, 2025
View reviewed changes
@xqi-splunk xqi-splunk self-assigned this Jun 23, 2025
@xqi-splunk xqi-splunk marked this pull request as ready for review June 23, 2025 17:08
@xqi-splunk
Copy link
Collaborator

xqi-splunk commented Jun 23, 2025

Code Changes

  • Use dispatch() to call the SavedSearch right away
  • Update the wait for risk/notable while loop and retry logic
    • Based on experiments, 45 detections need to retry dispatch() or run dispatch() after 50s to 120s after the savedsearch is enabled. Therefore, add a retry logic after 90s (50s is the corner case, most time needed falls under two intervals 70-80, and 120-130)
    • Based on experiments, some detections need extra waiting time for the risk/notable objects to be generated (like 20+ seconds). But since the validation process itself would need around 5s - 10s, we just let the validation process work as the natural wait time. Extra exponential wait time is added after 30s to avoid non necessary wait time. If wait time is added at the first place, regardless of the 30s, it would add 20 minutes extra test execution time.

Test Outcome

  • Decrease execute-testcases runtime from previous 111 minutes to 41 minutes.
  • Test result remain consistent, only Potential password in username failed. (No touch in the validation logic of risk/notable in this MR)

@xqi-splunk
Copy link
Collaborator

xqi-splunk commented Jun 23, 2025

Code Changes

  • Update query for validate risk/notables to use latest job.sid after dispatch()

Test Outcome

  • Test pipeline execute-testcases runtime 45 minutes
  • Test result remain consistent, only Potential password in username failed.

cmcginley-splunk
cmcginley-splunk requested changes Jun 24, 2025
View reviewed changes
Copy link
Contributor

@cmcginley-splunk cmcginley-splunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great Xiaonan! And the performance improvement is so so exciting; great job

Have a couple of structural changes requested, as well as sompoints for clarification

cmcginley-splunk
cmcginley-splunk requested changes Jun 26, 2025
View reviewed changes
Copy link
Contributor

@cmcginley-splunk cmcginley-splunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! A few more small tweaks and some points for conversation. @pyth0n1c please weigh in where appropriate :)

cmcginley-splunk
cmcginley-splunk requested changes Jul 8, 2025
View reviewed changes
contentctl/objects/correlation_search.py Outdated
f'search index=risk search_name="{self.name}" [search index=risk search '
f'search_name="{self.name}" | tail 1 | fields orig_sid] | tojson'
)
if self.sid is None:
Copy link
Contributor

@cmcginley-splunk cmcginley-splunk Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For option 2, I was only suggesting that bool field in the case we still wanted to do cleanup pre-test. But I agree with Eric for all the reasons mentioned. I would remove this code path (or throw on self.sid is None) and remove the pre-test cleanup

contentctl/objects/correlation_search.py Outdated
f'search index=notable search_name="{self.name}" [search index=notable search '
f'search_name="{self.name}" | tail 1 | fields orig_sid] | tojson'
)
if self.sid is None:
Copy link
Contributor

@cmcginley-splunk cmcginley-splunk Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my comment above

cmcginley-splunk
cmcginley-splunk requested changes Jul 8, 2025
View reviewed changes
cmcginley-splunk
cmcginley-splunk approved these changes Jul 9, 2025
View reviewed changes
Copy link
Contributor

@cmcginley-splunk cmcginley-splunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great xiaonan :) approved

@cmcginley-splunk cmcginley-splunk merged commit 6df8352 into main Jul 9, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xqi-splunk xqi-splunk xqi-splunk left review comments

@cmcginley-splunk cmcginley-splunk cmcginley-splunk approved these changes

Assignees

@xqi-splunk xqi-splunk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pyth0n1c @xqi-splunk @cmcginley-splunk