fix(soc-ai): reduce CPU overuse in plugin

Kbayero · Kbayero · commit 6718509200cf · 2025-07-22T12:08:44.000-04:00
diff --git a/installer/docker/plugins.go b/installer/docker/plugins.go
@@ -13,17 +13,18 @@ type PluginsConfig struct {
 }
 
 type PluginConfig struct {
-	Order        []string      `yaml:"order,omitempty"`
-	Port         int           `yaml:"port,omitempty"`
-	RulesFolder  string        `yaml:"rulesFolder,omitempty"`
-	GeoIPFolder  string        `yaml:"geoipFolder,omitempty"`
-	OpenSearch   string        `yaml:"opensearch,omitempty"`
-	PostgreSQL   PostgreConfig `yaml:"postgresql,omitempty"`
-	ServerName   string        `yaml:"serverName,omitempty"`
-	InternalKey  string        `yaml:"internalKey,omitempty"`
-	AgentManager string        `yaml:"agentManager,omitempty"`
-	Backend      string        `yaml:"backend,omitempty"`
-	CertsFolder  string        `yaml:"certsFolder,omitempty"`
+	Order         []string      `yaml:"order,omitempty"`
+	Port          int           `yaml:"port,omitempty"`
+	RulesFolder   string        `yaml:"rulesFolder,omitempty"`
+	GeoIPFolder   string        `yaml:"geoipFolder,omitempty"`
+	OpenSearch    string        `yaml:"opensearch,omitempty"`
+	PostgreSQL    PostgreConfig `yaml:"postgresql,omitempty"`
+	ServerName    string        `yaml:"serverName,omitempty"`
+	InternalKey   string        `yaml:"internalKey,omitempty"`
+	AgentManager  string        `yaml:"agentManager,omitempty"`
+	Backend       string        `yaml:"backend,omitempty"`
+	CertsFolder   string        `yaml:"certsFolder,omitempty"`
+	ModulesConfig string        `yaml:"modulesConfig,omitempty"`
 }
 
 type PostgreConfig struct {
@@ -75,11 +76,12 @@ func SetPluginsConfigs(conf *config.Config, stack *StackConfig) error {
 			Password: conf.Password,
 			Database: "utmstack",
 		},
-		ServerName:   conf.ServerName,
-		InternalKey:  conf.InternalKey,
-		AgentManager: "10.21.199.3:9000",
-		Backend:      "http://backend:8080",
-		CertsFolder:  "/cert",
+		ServerName:    conf.ServerName,
+		InternalKey:   conf.InternalKey,
+		AgentManager:  "10.21.199.3:9000",
+		Backend:       "http://backend:8080",
+		CertsFolder:   "/cert",
+		ModulesConfig: "event-processor-manager:9003",
 	}
 
 	openSearchPipeline := PluginsConfig{}
diff --git a/plugins/soc-ai/alert.go b/plugins/soc-ai/alert.go
@@ -1,8 +1,6 @@
 package main
 
 import (
-	"regexp"
-
 	"github.com/threatwinds/go-sdk/plugins"
 	"github.com/utmstack/UTMStack/plugins/soc-ai/config"
 	"github.com/utmstack/UTMStack/plugins/soc-ai/schema"
@@ -40,7 +38,7 @@ func cleanAlerts(alert schema.AlertFields) schema.AlertFields {
 					original := v.StringValue
 					cleaned := original
 					for _, pattern := range config.SensitivePatterns {
-						re := regexp.MustCompile(pattern.Regexp)
+						re := pattern.GetRegexp()
 						cleaned = re.ReplaceAllString(cleaned, pattern.FakeValue)
 					}
 					if cleaned != original {
diff --git a/plugins/soc-ai/config/config.go b/plugins/soc-ai/config/config.go
@@ -37,6 +37,7 @@ type Config struct {
 	Backend                   string
 	InternalKey               string
 	Opensearch                string
+	ModulesConfigHost         string
 	APIKey                    string
 	ChangeAlertStatus         bool
 	AutomaticIncidentCreation bool
@@ -64,14 +65,12 @@ func StartConfigurationSystem() {
 	config.Backend = pluginConfig.Get("backend").String()
 	config.InternalKey = pluginConfig.Get("internalKey").String()
 	config.Opensearch = pluginConfig.Get("opensearch").String()
+	config.ModulesConfigHost = pluginConfig.Get("modulesConfig").String()
 	configMutex.Unlock()
 
 	utils.Logger.Info("Starting gRPC configuration client...")
 
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	go ConnectAndStreamConfig("localhost:9003", config.InternalKey)
+	go ConnectAndStreamConfig(config.ModulesConfigHost, config.InternalKey)
 
 	ticker := time.NewTicker(5 * time.Second)
 	defer ticker.Stop()
@@ -91,84 +90,120 @@ func StartConfigurationSystem() {
 			} else {
 				utils.Logger.LogF(100, "No gRPC configuration available yet...")
 			}
-		case <-ctx.Done():
+		case <-configShutdown:
+			utils.Logger.Info("StartConfigurationSystem shutting down...")
 			return
 		}
 	}
 }
 
+var (
+	configShutdown = make(chan struct{})
+)
+
+func ShutdownConfigSystem() {
+	close(configShutdown)
+}
+
 func ConnectAndStreamConfig(serverAddress, internalKey string) {
 	for {
-		func() {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-			ctx = metadata.AppendToOutgoingContext(ctx, "internal-key", internalKey)
-			conn, err := grpc.NewClient(
-				serverAddress,
-				grpc.WithTransportCredentials(insecure.NewCredentials()),
-				grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMessageSize)),
-			)
+		select {
+		case <-configShutdown:
+			utils.Logger.Info("ConnectAndStreamConfig shutting down...")
+			return
+		default:
+		}
 
-			if err != nil {
-				catcher.Error("Failed to connect to server", err, nil)
-				return
-			}
+		connCtx, connCancel := context.WithCancel(context.Background())
+		connCtx = metadata.AppendToOutgoingContext(connCtx, "internal-key", internalKey)
+		conn, err := grpc.NewClient(
+			serverAddress,
+			grpc.WithTransportCredentials(insecure.NewCredentials()),
+			grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMessageSize)),
+		)
+
+		if err != nil {
+			catcher.Error("Failed to connect to server", err, nil)
+			connCancel()
+			time.Sleep(reconnectDelay)
+			continue
+		}
 
-			state := conn.GetState()
-			if state == connectivity.Shutdown || state == connectivity.TransientFailure {
-				catcher.Error("Connection is in shutdown or transient failure state", nil, nil)
-				return
-			}
+		state := conn.GetState()
+		if state == connectivity.Shutdown || state == connectivity.TransientFailure {
+			catcher.Error("Connection is in shutdown or transient failure state", nil, nil)
+			conn.Close()
+			connCancel()
+			time.Sleep(reconnectDelay)
+			continue
+		}
 
-			client := NewConfigServiceClient(conn)
-			stream, err := client.StreamConfig(ctx)
-			if err != nil {
-				catcher.Error("Failed to create stream", err, nil)
-				return
-			}
+		client := NewConfigServiceClient(conn)
+		stream, err := client.StreamConfig(connCtx)
+		if err != nil {
+			catcher.Error("Failed to create stream", err, nil)
+			conn.Close()
+			connCancel()
+			time.Sleep(reconnectDelay)
+			continue
+		}
 
-			err = stream.Send(&BiDirectionalMessage{
-				Payload: &BiDirectionalMessage_PluginInit{
-					PluginInit: &PluginInit{Type: PluginType_SOC_AI},
-				},
-			})
-			if err != nil {
-				catcher.Error("Failed to send PluginInit", err, nil)
+		err = stream.Send(&BiDirectionalMessage{
+			Payload: &BiDirectionalMessage_PluginInit{
+				PluginInit: &PluginInit{Type: PluginType_SOC_AI},
+			},
+		})
+		if err != nil {
+			catcher.Error("Failed to send PluginInit", err, nil)
+			conn.Close()
+			connCancel()
+			time.Sleep(reconnectDelay)
+			continue
+		}
+
+		for {
+			select {
+			case <-configShutdown:
+				conn.Close()
+				connCancel()
 				return
+			default:
 			}
 
-			for {
-				in, err := stream.Recv()
-				if err != nil {
-					if strings.Contains(err.Error(), "EOF") {
-						catcher.Info("Stream closed by server, reconnecting...", nil)
-						conn.Close()
-						time.Sleep(reconnectDelay)
-						break
-					}
-					st, ok := status.FromError(err)
-					if ok && (st.Code() == codes.Unavailable || st.Code() == codes.Canceled) {
-						catcher.Error("Stream error: "+st.Message(), err, nil)
-						conn.Close()
-						time.Sleep(reconnectDelay)
-						break
-					} else {
-						catcher.Error("Stream receive error", err, nil)
-						time.Sleep(reconnectDelay)
-						continue
-					}
+			in, err := stream.Recv()
+			if err != nil {
+				if strings.Contains(err.Error(), "EOF") {
+					catcher.Info("Stream closed by server, reconnecting...", nil)
+					conn.Close()
+					connCancel()
+					time.Sleep(reconnectDelay)
+					break
 				}
-
-				switch message := in.Payload.(type) {
-				case *BiDirectionalMessage_Config:
-					log.Printf("Received configuration update: %v", message.Config)
-					grpcMutex.Lock()
-					grpcConfig = message.Config
-					grpcMutex.Unlock()
+				st, ok := status.FromError(err)
+				if ok && (st.Code() == codes.Unavailable || st.Code() == codes.Canceled) {
+					catcher.Error("Stream error: "+st.Message(), err, nil)
+					conn.Close()
+					connCancel()
+					time.Sleep(reconnectDelay)
+					break
+				} else {
+					catcher.Error("Stream receive error", err, nil)
+					time.Sleep(reconnectDelay)
+					continue
 				}
 			}
-		}()
 
+			switch message := in.Payload.(type) {
+			case *BiDirectionalMessage_Config:
+				log.Printf("Received configuration update: %v", message.Config)
+				grpcMutex.Lock()
+				grpcConfig = message.Config
+				grpcMutex.Unlock()
+			}
+		}
+
+		conn.Close()
+		connCancel()
 		time.Sleep(reconnectDelay)
 	}
 }
diff --git a/plugins/soc-ai/config/const.go b/plugins/soc-ai/config/const.go
@@ -1,5 +1,10 @@
 package config
 
+import (
+	"regexp"
+	"sync"
+)
+
 const (
 	API_ALERT_ENDPOINT                  = "/api/elasticsearch/search"
 	API_ALERT_STATUS_ENDPOINT           = "/api/utm-alerts/status"
@@ -44,14 +49,23 @@ var (
 type SensitivePattern struct {
 	Regexp    string
 	FakeValue string
+	compiled  *regexp.Regexp
+	once      sync.Once
+}
+
+func (sp *SensitivePattern) GetRegexp() *regexp.Regexp {
+	sp.once.Do(func() {
+		sp.compiled = regexp.MustCompile(sp.Regexp)
+	})
+	return sp.compiled
 }
 
 var (
 	FakeUserName      = "John Doe"
 	FakeEmail         = "jhondoe@gmail.com"
-	SensitivePatterns = map[string]SensitivePattern{
+	SensitivePatterns = map[string]*SensitivePattern{
 		"email": {Regexp: `([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})`, FakeValue: "jhondoe@gmail.com"},
-		//"ipv4":  `(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)`,
+		//"ipv4":  {Regexp: `(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)`, FakeValue: "10.0.0.1"},
 	}
 	GPT_INSTRUCTION     = "You are an expert security engineer. Perform a deep analysis of an alert created by a SIEM and the logs related to it. Determine if the alert could be an actual potential threat or not and explain why. Provide a description that shows a deep understanding of the alert based on a deep analysis of its logs and estimate the risk to the systems affected. Classify the alert in the following manner: if the alert information is sufficient to determine that the security, availability, confidentiality, or integrity of the systems has being compromised, then classify it as \"possible incident\". If the alert does not pose a security risk to the organization or has no security relevance, classify it as \"possible false positive\". If the alert does not pose an imminent risk to the systems, requires no urgent action from an administrator, or requires not urgent review by an administrator, it should be classified as a \"standard alert\". You will also provide context-specific instructions for remediation, mitigation, or further investigation, related to the alert and logs analyzed. Your answer should be provided using the following JSON format and the total number of characters in your answer must not exceed 1500 words. Your entire answer must be inside this json format. {\"activity_id\":\"<activity_id>\",\"classification\":\"<classification>\",\"reasoning\":[\"<deep_reasoning>\"],\"nextSteps\":[{\"step\":1,\"action\":\"<action_1>\",\"details\":\"<action_1_details>\"},{\"step\":2,\"action\":\"<action_2>\",\"details\":\"<action_2_details>\"},{\"step\":3,\"action\":\"<action_3>\"]}Ensure that your entire answer adheres to the provided JSON format. The response should be valid JSON syntax and schema."
 	GPT_FALSE_POSITIVE  = "This alert is categorized as a potential false positive due to two key factors. Firstly, it originates from an automated system, which may occasionally produce alerts without direct human validation. Additionally, the absence of any correlated logs further raises suspicion, as a genuine incident typically leaves a trail of relevant log entries. Hence, the combination of its system-generated nature and the lack of associated logs suggests a likelihood of being a false positive rather than a genuine security incident."
