fix correlation engine trigger even if no rules are present

sbcd90 · sbcd90 · commit d6d5075d914d · 2025-06-19T21:10:22.000Z
Signed-off-by: Subhobrata Dey &lt;sbcd90@gmail.com&gt;
diff --git a/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java b/src/main/java/org/opensearch/securityanalytics/correlation/JoinEngine.java
@@ -253,12 +253,20 @@ private void onAutoCorrelations(Detector detector, Finding finding, Map<String,
                 CorrelationRule rule = CorrelationRule.parse(xcp, hit.getId(), hit.getVersion());
                 correlationRules.add(rule);
             }
-            getValidDocuments(detectorType, indices, correlationRules, relatedDocIds, autoCorrelations);
+            if (!correlationRules.isEmpty() || !autoCorrelations.isEmpty()) {
+                getValidDocuments(detectorType, indices, correlationRules, relatedDocIds, autoCorrelations);
+            } else {
+                correlateFindingAction.onOperation();
+            }
         }, e -> {
             try {
                 log.error("[CORRELATIONS] Exception encountered while searching correlation rule index for finding id {}",
                         finding.getId(), e);
-                getValidDocuments(detectorType, indices, List.of(), List.of(), autoCorrelations);
+                if (!autoCorrelations.isEmpty()) {
+                    getValidDocuments(detectorType, indices, List.of(), List.of(), autoCorrelations);
+                } else {
+                    correlateFindingAction.onOperation();
+                }
             } catch (Exception ex) {
                 onFailure(ex);
             }
diff --git a/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java b/src/test/java/org/opensearch/securityanalytics/correlation/CorrelationEngineRestApiIT.java
@@ -164,7 +164,6 @@ public void testListCorrelationsWorkflow() throws IOException, InterruptedExcept
 
     @SuppressWarnings("unchecked")
     public void testBasicCorrelationEngineWorkflowWithoutRules() throws IOException, InterruptedException {
-        updateClusterSetting(SecurityAnalyticsSettings.ENABLE_AUTO_CORRELATIONS.getKey(), "true");
         LogIndices indices = createIndices();
 
         String vpcFlowMonitorId = createVpcFlowDetector(indices.vpcFlowsIndex);
@@ -220,7 +219,8 @@ public void testBasicCorrelationEngineWorkflowWithoutRules() throws IOException,
                         }
                         return false;
                     } catch (Exception ex) {
-                        return false;
+                        // because no findings are found
+                        return true;
                     }
                 },
                 2, TimeUnit.MINUTES
