Skip to content

Pex 552/on demand detection triggers #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cmcginley-splunk merged 21 commits into from
Jul 9, 2025
Merged

Pex 552/on demand detection triggers #416

Changes from 2 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
b1aa8b9
Use dispatch() to trigger savedsearch
xqi-splunk Jun 13, 2025
af111b7
Add rerun for savedsearch
xqi-splunk Jun 13, 2025
22def48
Update retry logic
xqi-splunk Jun 18, 2025
a993ed8
Merge branch 'main' into PEX-552/on-demand-detection-triggers
xqi-splunk Jun 18, 2025
48be3ae
Add debug logging
xqi-splunk Jun 18, 2025
c0a3bea
Fix lint error
xqi-splunk Jun 20, 2025
dd74f91
Fix format error
xqi-splunk Jun 20, 2025
9b09545
Update rerun logic based on wait time data
xqi-splunk Jun 20, 2025
b8e6c12
Add some comments
xqi-splunk Jun 23, 2025
1349ff0
Refactor risk/notable query to dispatch search sid
xqi-splunk Jun 23, 2025
3bcb748
Set logging back to default
xqi-splunk Jun 23, 2025
150c209
Refractor retry block structure
xqi-splunk Jun 24, 2025
bf024cc
Update comment and variable names to be more descriptive
xqi-splunk Jun 24, 2025
842125c
Update search query for risk datamodel
xqi-splunk Jun 24, 2025
1a8ff7e
Update comment
xqi-splunk Jun 24, 2025
7a33f57
Update comment and error raising
xqi-splunk Jun 26, 2025
20b1d44
Merge branch 'main' into PEX-552/on-demand-detection-triggers
pyth0n1c Jun 26, 2025
5208931
Update docstring
xqi-splunk Jul 8, 2025
4b413ad
Remove cleanup
xqi-splunk Jul 8, 2025
290a5f4
Update wait_time assign logic
xqi-splunk Jul 8, 2025
2854098
Merge branch 'main' into PEX-552/on-demand-detection-triggers
cmcginley-splunk Jul 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 88 additions & 22 deletions contentctl/objects/correlation_search.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@
from contentctl.objects.risk_event import RiskEvent

# Suppress logging by default; enable for local testing
ENABLE_LOGGING = False
ENABLE_LOGGING = True
LOG_LEVEL = logging.DEBUG
LOG_PATH = "correlation_search.log"
LOG_PATH = "correlation_search_test2.log"


class SavedSearchKeys(StrEnum):
Expand Down Expand Up @@ -88,7 +88,7 @@

EARLIEST_TIME = "-5y@y"
LATEST_TIME = "-1m@m"
CRON_SCHEDULE = "*/1 * * * *"
CRON_SCHEDULE = "0 0 1 1 *"


class ResultIterator:
Expand Down Expand Up @@ -437,6 +437,18 @@
if refresh:
self.refresh()

def dispatch(self) -> splunklib.Job:
"""Dispatches the SavedSearch

Dispatches the SavedSearch entity, returning a Job object representing the search job.
:return: a splunklib.Job object representing the search job
"""
self.logger.debug(f"Dispatching {self.name}...")
try:
return self.saved_search.dispatch(trigger_actions=True) # type: ignore
except HTTPError as e:
raise ServerError(f"HTTP error encountered while dispatching detection: {e}")

def disable(self, refresh: bool = True) -> None:
"""Disables the SavedSearch

Expand Down Expand Up @@ -496,6 +508,18 @@
self.update_timeframe(refresh=False)
if not self.enabled:
Copy link
Contributor

@cmcginley-splunk cmcginley-splunk Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we still want this behavior where force_run will throw a warning if called after the detection is enabled?

Copy link
Collaborator

@xqi-splunk xqi-splunk Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so? Is there a reason we would like to remove the warning?

Copy link
Collaborator

@xqi-splunk xqi-splunk Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

force_run function is removed after refactoring as discussed.

self.enable(refresh=False)
job = self.dispatch()
self.logger.info(f"Force running detection '{self.name}' with job ID: {job.sid}")

time_to_execute = 0

# Check if the job is finished
while not job.is_done():
self.logger.info(f"Job {job.sid} is still running...")
time.sleep(1)
time_to_execute += 1

self.logger.info(f"Job {job.sid} has finished running in {time_to_execute} seconds.")
else:
self.logger.warning(f"Detection '{self.name}' was already enabled")

Expand Down Expand Up @@ -910,10 +934,10 @@

# keep track of time slept and number of attempts for exponential backoff (base 2)
elapsed_sleep_time = 0
num_tries = 0

Check failure on line 937 in contentctl/objects/correlation_search.py

View workflow job for this annotation

GitHub Actions / lint

Ruff (F841) 

contentctl/objects/correlation_search.py:937:9: F841 Local variable `num_tries` is assigned to but never used

# set the initial base sleep time
time_to_sleep = TimeoutConfig.BASE_SLEEP

Check failure on line 940 in contentctl/objects/correlation_search.py

View workflow job for this annotation

GitHub Actions / lint

Ruff (F841) 

contentctl/objects/correlation_search.py:940:9: F841 Local variable `time_to_sleep` is assigned to but never used

try:
# first make sure the indexes are currently empty and the detection is starting from a disabled state
Expand Down Expand Up @@ -946,24 +970,66 @@
self.update_pbar(TestingStates.FORCE_RUN)
self.force_run()

# loop so long as the elapsed time is less than max_sleep
while elapsed_sleep_time < max_sleep:
# sleep so the detection job can finish
self.logger.info(
f"Waiting {time_to_sleep} for {self.name} so it can finish"
)
self.update_pbar(TestingStates.VALIDATING)
time.sleep(time_to_sleep)
elapsed_sleep_time += time_to_sleep
# # loop so long as the elapsed time is less than max_sleep
# while elapsed_sleep_time < max_sleep:
# # sleep so the detection job can finish
# self.logger.info(
# f"Waiting {time_to_sleep} for {self.name} so it can finish"
# )
# self.update_pbar(TestingStates.VALIDATING)
# # time.sleep(time_to_sleep)
# self.logger.info(
# f"Skipping sleeping time for testing purposes"
# )
# elapsed_sleep_time += time_to_sleep

# self.logger.info(
# f"Validating detection (attempt #{num_tries + 1} - {elapsed_sleep_time} seconds elapsed of "
# f"{max_sleep} max)"
# )

# # reset the result to None on each loop iteration
# result = None

max_retries = 10
initial_wait = 2
max_wait = 60
max_total_wait = 300

current_turn = 1
wait_time = initial_wait
total_waited = 0

while current_turn <= max_retries and total_waited < max_total_wait:
current_turn += 1

self.logger.info(
f"Validating detection (attempt #{num_tries + 1} - {elapsed_sleep_time} seconds elapsed of "
f"{max_sleep} max)"
f"Skipping sleeping time for testing purposes"

Check failure on line 1007 in contentctl/objects/correlation_search.py

View workflow job for this annotation

GitHub Actions / lint

Ruff (F541) 

contentctl/objects/correlation_search.py:1007:25: F541 f-string without any placeholders
)

if current_turn > 3:
time.sleep(wait_time)
total_waited += wait_time
self.logger.info(f"Waiting {wait_time}s before retry {current_turn}...")

wait_time = min(wait_time * 2, max_wait)

# Rerun the search job
job = self.dispatch()
self.logger.info(f"Force running detection '{self.name}' with job ID: {job.sid}")

time_to_execute = 0

# Check if the job is finished
while not job.is_done():
self.logger.info(f"Job {job.sid} is still running...")
time.sleep(1)
time_to_execute += 1

self.logger.info(f"Job {job.sid} has finished running in {time_to_execute} seconds.")

# reset the result to None on each loop iteration
result = None

try:
# Validate risk events
if self.has_risk_analysis_action:
Expand Down Expand Up @@ -1023,15 +1089,15 @@
)
break

# increment number of attempts to validate detection
num_tries += 1
# # increment number of attempts to validate detection
# num_tries += 1

# compute the next time to sleep for
time_to_sleep = 2**num_tries
# # compute the next time to sleep for
# time_to_sleep = 2**num_tries

# if the computed time to sleep will exceed max_sleep, adjust appropriately
if (elapsed_sleep_time + time_to_sleep) > max_sleep:
time_to_sleep = max_sleep - elapsed_sleep_time
# # if the computed time to sleep will exceed max_sleep, adjust appropriately
# if (elapsed_sleep_time + time_to_sleep) > max_sleep:
# time_to_sleep = max_sleep - elapsed_sleep_time

# TODO (PEX-436): should cleanup be in a finally block so it runs even on exception?
# cleanup the created events, disable the detection and return the result
Expand Down
Loading