Skip to content

Commit

Permalink
wire in ioc findings
Browse files Browse the repository at this point in the history
  • Loading branch information
@eirsep
eirsep committed Jun 26, 2024
1 parent 34bc5a2 commit 07d5c13
Show file tree
Hide file tree
Showing 12 changed files with 165 additions and 209 deletions.
4 changes: 1 addition & 3 deletions src/main/java/org/opensearch/securityanalytics/model/threatintel/IocFinding.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@
import org.apache.commons.lang3.StringUtils;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.core.common.io.stream.Writeable;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.core.xcontent.XContentBuilder;
import org.opensearch.core.xcontent.XContentParser;
import org.opensearch.core.xcontent.XContentParserUtils;
Expand All @@ -22,7 +20,7 @@
* IoC Match provides mapping of the IoC Value to the list of docs that contain the ioc in a given execution of IoC_Scan_job
* It's the inverse of an IoC finding which maps a document to list of IoC's
*/
public class IocFinding implements Writeable, ToXContent {
public class IocFinding extends BaseEntity {
//TODO implement IoC_Match interface from security-analytics-commons
public static final String ID_FIELD = "id";
public static final String RELATED_DOC_IDS_FIELD = "related_doc_ids";
Expand Down
13 changes: 7 additions & 6 deletions src/main/java/org/opensearch/securityanalytics/model/threatintel/ThreatIntelAlert.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.core.xcontent.XContentBuilder;
import org.opensearch.core.xcontent.XContentParser;
import org.opensearch.securityanalytics.util.XContentUtils;

import java.io.IOException;
import java.time.Instant;
Expand Down Expand Up @@ -135,7 +136,7 @@ public ThreatIntelAlert(ThreatIntelAlert currentAlert, List<String> findingIds)
this.iocValue = currentAlert.iocValue;
this.iocType = currentAlert.iocType;
this.actionExecutionResults = currentAlert.actionExecutionResults;
this.lastUpdatedTime = currentAlert.lastUpdatedTime;
this.lastUpdatedTime = Instant.now();
}

public boolean isAcknowledged() {
Expand Down Expand Up @@ -296,11 +297,11 @@ private XContentBuilder createXContentBuilder(XContentBuilder builder, boolean s
.field(IOC_TYPE_FIELD, iocType)
.field(SEVERITY_FIELD, severity)
.field(ACTION_EXECUTION_RESULTS_FIELD, actionExecutionResults.toArray())
.field(FINDING_IDS_FIELD, findingIds.toArray(new String[0]))
.field(START_TIME_FIELD, startTime)
.field(END_TIME_FIELD, endTime)
.field(ACKNOWLEDGED_TIME_FIELD, acknowledgedTime)
.field(LAST_UPDATED_TIME_FIELD, lastUpdatedTime);
.field(FINDING_IDS_FIELD, findingIds.toArray(new String[0]));
XContentUtils.buildInstantAsField(builder, acknowledgedTime, ACKNOWLEDGED_TIME_FIELD);
XContentUtils.buildInstantAsField(builder, lastUpdatedTime, LAST_UPDATED_TIME_FIELD);
XContentUtils.buildInstantAsField(builder, startTime, START_TIME_FIELD);
XContentUtils.buildInstantAsField(builder, endTime, END_TIME_FIELD);
if (!secure) {
if (user == null) {
builder.nullField(USER_FIELD);
Expand Down
44 changes: 24 additions & 20 deletions .../java/org/opensearch/securityanalytics/threatIntel/iocscan/dao/BaseEntityCrudService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.index.IndexNotFoundException;
import org.opensearch.rest.action.admin.indices.AliasesNotFoundException;
import org.opensearch.search.builder.SearchSourceBuilder;
import org.opensearch.securityanalytics.model.threatintel.BaseEntity;
import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
Expand Down Expand Up @@ -56,11 +57,11 @@ public void bulkIndexEntities(List<Entity> newEntityList, List<Entity> updatedEn
createIndexIfNotExists(ActionListener.wrap(
r -> {
List<BulkRequest> bulkRequestList = new ArrayList<>();
BulkRequest bulkRequest = new BulkRequest(getIndexName());
BulkRequest bulkRequest = new BulkRequest(getEntityAliasName());
for (int i = 0; i < newEntityList.size(); i++) {
Entity entity = newEntityList.get(i);
try {
IndexRequest indexRequest = new IndexRequest(getIndexName())
IndexRequest indexRequest = new IndexRequest(getEntityAliasName())
.id(entity.getId())
.source(entity.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS))
.opType(DocWriteRequest.OpType.CREATE);
Expand All @@ -82,7 +83,7 @@ public void bulkIndexEntities(List<Entity> newEntityList, List<Entity> updatedEn
for (int i = 0; i < updatedEntityList.size(); i++) {
Entity entity = updatedEntityList.get(i);
try {
IndexRequest indexRequest = new IndexRequest(getIndexName())
IndexRequest indexRequest = new IndexRequest(getEntityAliasName())
.id(entity.getId())
.source(entity.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS))
.opType(DocWriteRequest.OpType.UPDATE);
Expand Down Expand Up @@ -121,7 +122,7 @@ public void bulkIndexEntities(List<Entity> newEntityList, List<Entity> updatedEn
}
}
}, e -> {
log.error(() -> new ParameterizedMessage("Failed to create System Index {}", getIndexName()), e);
log.error(() -> new ParameterizedMessage("Failed to create System Index {}", getEntityAliasName()), e);
actionListener.onFailure(e);
}));

Expand All @@ -139,11 +140,11 @@ public void bulkIndexEntities(List<Entity> entityList,
createIndexIfNotExists(ActionListener.wrap(
r -> {
List<BulkRequest> bulkRequestList = new ArrayList<>();
BulkRequest bulkRequest = new BulkRequest(getIndexName());
BulkRequest bulkRequest = new BulkRequest(getEntityAliasName());
for (int i = 0; i < entityList.size(); i++) {
Entity entity = entityList.get(i);
try {
IndexRequest indexRequest = new IndexRequest(getIndexName())
IndexRequest indexRequest = new IndexRequest(getEntityAliasName())
.id(entity.getId())
.source(entity.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS))
.opType(DocWriteRequest.OpType.CREATE);
Expand Down Expand Up @@ -182,7 +183,7 @@ public void bulkIndexEntities(List<Entity> entityList,
}
}
}, e -> {
log.error(() -> new ParameterizedMessage("Failed to create System Index {}", getIndexName()), e);
log.error(() -> new ParameterizedMessage("Failed to create System Index {}", getEntityIndexPattern()), e);
actionListener.onFailure(e);
}));

Expand All @@ -193,19 +194,19 @@ public void bulkIndexEntities(List<Entity> entityList,
}
}

public void searchEntities(SearchSourceBuilder searchSourceBuilder, final ActionListener<SearchResponse> listener) {
public void search(SearchSourceBuilder searchSourceBuilder, final ActionListener<SearchResponse> listener) {
SearchRequest searchRequest = new SearchRequest()
.source(searchSourceBuilder)
.indices(getIndexName());
.indices(getEntityAliasName());
client.search(searchRequest, ActionListener.wrap(
listener::onResponse,
e -> {
if (e instanceof IndexNotFoundException) {
if (e instanceof IndexNotFoundException || e instanceof AliasesNotFoundException) {
listener.onResponse(getEmptySearchResponse());
return;
}
log.error(
() -> new ParameterizedMessage("Failed to search {}s from index {}.", getEntityName(), getIndexName()),
() -> new ParameterizedMessage("Failed to search {}s from index {}.", getEntityName(), getEntityAliasName()),
e);
listener.onFailure(e);
}
Expand All @@ -214,39 +215,42 @@ public void searchEntities(SearchSourceBuilder searchSourceBuilder, final Action

public void createIndexIfNotExists(final ActionListener<Void> listener) {
try {
if (clusterService.state().metadata().hasIndex(getIndexName()) == true) {
if (clusterService.state().metadata().hasAlias(getEntityAliasName())) {
listener.onResponse(null);
return;
}
final CreateIndexRequest createIndexRequest = new CreateIndexRequest(getIndexName()).mapping(getIndexMapping())
final CreateIndexRequest createIndexRequest = new CreateIndexRequest(getEntityIndexPattern()).mapping(getEntityIndexMapping())
.settings(getIndexSettings());
client.admin().indices().create(createIndexRequest, ActionListener.wrap(
r -> {
log.debug("{} index created", getIndexName());
log.debug("{} index created", getEntityName());
listener.onResponse(null);
}, e -> {
if (e instanceof ResourceAlreadyExistsException) {
log.debug("index {} already exist", getIndexMapping());
log.debug("index {} already exist", getEntityIndexMapping());
listener.onResponse(null);
return;
}
log.error(String.format("Failed to create security analytics threat intel %s index", getIndexName()), e);
log.error(String.format("Failed to create security analytics threat intel %s index", getEntityName()), e);
listener.onFailure(e);
}
));
} catch (Exception e) {
log.error(String.format("Failure in creating %s index", getIndexName()), e);
log.error(String.format("Failure in creating %s index", getEntityName()), e);
listener.onFailure(e);
}
}

protected abstract String getIndexMapping();

protected abstract String getIndexName();
protected abstract String getEntityIndexMapping();

public abstract String getEntityName();

protected Settings.Builder getIndexSettings() {
return Settings.builder().put("index.hidden", true);
}

public abstract String getEntityAliasName();

public abstract String getEntityIndexPattern();

}
Loading

0 comments on commit 07d5c13

Please sign in to comment.