Skip to content

Commit

Permalink
ioc scan business logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@eirsep
eirsep committed Jun 12, 2024
1 parent cea6496 commit f2229e2
Show file tree
Hide file tree
Showing 14 changed files with 640 additions and 25 deletions.
6 changes: 5 additions & 1 deletion src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
Expand Down Expand Up @@ -69,8 +70,11 @@ public void ensureLogTypesLoaded() {
private List<LogType> loadBuiltinLogTypes() throws URISyntaxException, IOException {
List<LogType> logTypes = new ArrayList<>();

final String url = Objects.requireNonNull(BuiltinLogTypeLoader.class.getClassLoader().getResource(BASE_PATH)).toURI().toString();
String pathurl = Paths.get(BuiltinLogTypeLoader.class.getClassLoader().getResource(BASE_PATH).toURI()).toString();

final String url = Objects.requireNonNull(BuiltinLogTypeLoader.class.getClassLoader().getResource(BASE_PATH)).toURI().toString();
logger.error("SASHANK Path url is {}", pathurl);
logger.error("SASHANK currently used url is {}", url);
Path dirPath = null;
if (url.contains("!")) {
final String[] paths = url.split("!");
Expand Down
16 changes: 8 additions & 8 deletions ...rch/securityanalytics/model/IoCMatch.java → ...analytics/model/threatintel/IocMatch.java
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package org.opensearch.securityanalytics.model;
package org.opensearch.securityanalytics.model.threatintel;

import org.apache.commons.lang3.StringUtils;
import org.opensearch.core.common.io.stream.StreamInput;
Expand All @@ -20,7 +20,7 @@
* IoC Match provides mapping of the IoC Value to the list of docs that contain the ioc in a given execution of IoC_Scan_job
* It's the inverse of an IoC finding which maps a document to list of IoC's
*/
public class IoCMatch implements Writeable, ToXContent {
public class IocMatch implements Writeable, ToXContent {
//TODO implement IoC_Match interface from security-analytics-commons
public static final String ID_FIELD = "id";
public static final String RELATED_DOC_IDS_FIELD = "related_doc_ids";
Expand All @@ -42,7 +42,7 @@ public class IoCMatch implements Writeable, ToXContent {
private final Instant timestamp;
private final String executionId;

public IoCMatch(String id, List<String> relatedDocIds, List<String> feedIds, String iocScanJobId,
public IocMatch(String id, List<String> relatedDocIds, List<String> feedIds, String iocScanJobId,
String iocScanJobName, String iocValue, String iocType, Instant timestamp, String executionId) {
validateIoCMatch(id, iocScanJobId, iocScanJobName, iocValue, timestamp, executionId, relatedDocIds);
this.id = id;
Expand All @@ -56,7 +56,7 @@ public IoCMatch(String id, List<String> relatedDocIds, List<String> feedIds, Str
this.executionId = executionId;
}

public IoCMatch(StreamInput in) throws IOException {
public IocMatch(StreamInput in) throws IOException {
id = in.readString();
relatedDocIds = in.readStringList();
feedIds = in.readStringList();
Expand Down Expand Up @@ -133,7 +133,7 @@ public String getExecutionId() {
return executionId;
}

public static IoCMatch parse(XContentParser xcp) throws IOException {
public static IocMatch parse(XContentParser xcp) throws IOException {
String id = null;
List<String> relatedDocIds = new ArrayList<>();
List<String> feedIds = new ArrayList<>();
Expand Down Expand Up @@ -197,11 +197,11 @@ public static IoCMatch parse(XContentParser xcp) throws IOException {
}
}

return new IoCMatch(id, relatedDocIds, feedIds, iocScanJobId, iocScanName, iocValue, iocType, timestamp, executionId);
return new IocMatch(id, relatedDocIds, feedIds, iocScanJobId, iocScanName, iocValue, iocType, timestamp, executionId);
}

public static IoCMatch readFrom(StreamInput in) throws IOException {
return new IoCMatch(in);
public static IocMatch readFrom(StreamInput in) throws IOException {
return new IocMatch(in);
}


Expand Down
155 changes: 155 additions & 0 deletions src/main/java/org/opensearch/securityanalytics/threatIntel/iocscan/dao/IocMatchService.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
package org.opensearch.securityanalytics.threatIntel.iocscan.dao;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.ResourceAlreadyExistsException;
import org.opensearch.action.DocWriteRequest;
import org.opensearch.action.admin.indices.create.CreateIndexRequest;
import org.opensearch.action.bulk.BulkRequest;
import org.opensearch.action.bulk.BulkResponse;
import org.opensearch.action.index.IndexRequest;
import org.opensearch.action.support.GroupedActionListener;
import org.opensearch.action.support.WriteRequest;
import org.opensearch.client.Client;
import org.opensearch.cluster.service.ClusterService;
import org.opensearch.common.xcontent.XContentFactory;
import org.opensearch.core.action.ActionListener;
import org.opensearch.core.rest.RestStatus;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
import org.opensearch.securityanalytics.model.threatintel.IocMatch;
import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
import org.opensearch.securityanalytics.threatIntel.common.StashedThreadContext;
import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
import org.opensearch.threadpool.ThreadPool;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;

/**
* Data layer to perform CRUD operations for threat intel ioc match : store in system index.
*/
public class IocMatchService {
//TODO manage index rollover
public static final String INDEX_NAME = ".opensearch-sap-iocmatch";
private static final Logger log = LogManager.getLogger(IocMatchService.class);
private final Client client;
private final ClusterService clusterService;

public IocMatchService(final Client client, final ClusterService clusterService) {
this.client = client;
this.clusterService = clusterService;
}

public void indexIocMatches(List<IocMatch> iocMatches,
final ActionListener<Void> actionListener) {
try {
Integer batchSize = this.clusterService.getClusterSettings().get(SecurityAnalyticsSettings.BATCH_SIZE);
createIndexIfNotExists(ActionListener.wrap(
r -> {
List<BulkRequest> bulkRequestList = new ArrayList<>();
BulkRequest bulkRequest = new BulkRequest(INDEX_NAME);
for (int i = 0; i < iocMatches.size(); i++) {
IocMatch iocMatch = iocMatches.get(i);
try {
IndexRequest indexRequest = new IndexRequest(INDEX_NAME)
.source(iocMatch.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS))
.opType(DocWriteRequest.OpType.CREATE);
bulkRequest.add(indexRequest);
if (
bulkRequest.requests().size() == batchSize
&& i != iocMatches.size() - 1 // final bulk request will be added outside for loop with refresh policy none
) {
bulkRequest.setRefreshPolicy(WriteRequest.RefreshPolicy.NONE);
bulkRequestList.add(bulkRequest);
bulkRequest = new BulkRequest();
}
} catch (IOException e) {
log.error(String.format("Failed to create index request for ioc match %s moving on to next"), e);
}
}
bulkRequest.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE);
bulkRequestList.add(bulkRequest);
GroupedActionListener<BulkResponse> groupedListener = new GroupedActionListener<>(ActionListener.wrap(bulkResponses -> {
int idx = 0;
for (BulkResponse response : bulkResponses) {
BulkRequest request = bulkRequestList.get(idx);
if (response.hasFailures()) {
log.error("Failed to bulk index {} Ioc Matches. Failure: {}", request.batchSize(), response.buildFailureMessage());
}
}
actionListener.onResponse(null);
}, actionListener::onFailure), bulkRequestList.size());
for (BulkRequest req : bulkRequestList) {
try {
client.bulk(req, groupedListener); //todo why stash context here?
} catch (Exception e) {
log.error("Failed to save ioc matches.", e);
}
}
}, e -> {
log.error("Failed to create System Index");
actionListener.onFailure(e);
}));


} catch (Exception e) {
log.error("Exception saving the threat intel source config in index", e);
actionListener.onFailure(e);
}
}

private String getIndexMapping() {
try {
try (InputStream is = IocMatchService.class.getResourceAsStream("/mappings/ioc_match_mapping.json")) {
try (BufferedReader reader = new BufferedReader(new InputStreamReader(is, StandardCharsets.UTF_8))) {
return reader.lines().map(String::trim).collect(Collectors.joining());
}
}
} catch (IOException e) {
log.error("Failed to get the threat intel ioc match index mapping", e);
throw new SecurityAnalyticsException("Failed to get the threat intel ioc match index mapping", RestStatus.INTERNAL_SERVER_ERROR, e);
}
}

/**
* Index name: .opensearch-sap-iocmatch
* Mapping: /mappings/ioc_match_mapping.json
*
* @param listener setup listener
*/
public void createIndexIfNotExists(final ActionListener<Void> listener) {
// check if job index exists
try {
if (clusterService.state().metadata().hasIndex(INDEX_NAME) == true) {
listener.onResponse(null);
return;
}
final CreateIndexRequest createIndexRequest = new CreateIndexRequest(INDEX_NAME).mapping(getIndexMapping())
.settings(SecurityAnalyticsPlugin.TIF_JOB_INDEX_SETTING);
client.admin().indices().create(createIndexRequest, ActionListener.wrap(
r -> {
log.debug("Ioc match index created");
listener.onResponse(null);
}, e -> {
if (e instanceof ResourceAlreadyExistsException) {
log.debug("index {} already exist", INDEX_NAME);
listener.onResponse(null);
return;
}
log.error("Failed to create security analytics threat intel job index", e);
listener.onFailure(e);
}
));
} catch (Exception e) {
log.error("Failure in creating ioc_match index", e);
listener.onFailure(e);
}
}
}
23 changes: 23 additions & 0 deletions src/main/java/org/opensearch/securityanalytics/threatIntel/iocscan/dto/IocScanContext.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
package org.opensearch.securityanalytics.threatIntel.iocscan.dto;

import org.opensearch.securityanalytics.threatIntel.iocscan.model.IocScanMonitor;

import java.util.List;

public class IocScanContext<Data> {
IocScanMonitor monitor;
boolean dryRun;
List<Data> data;

public IocScanMonitor getMonitor() {
return monitor;
}

public boolean isDryRun() {
return dryRun;
}

public List<Data> getData() {
return data;
}
}
26 changes: 26 additions & 0 deletions ...ava/org/opensearch/securityanalytics/threatIntel/iocscan/dto/PerIocTypeFieldMappings.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package org.opensearch.securityanalytics.threatIntel.iocscan.dto;

import java.util.List;
import java.util.Map;

/**
* DTO that contains information about an Ioc type and the list of fields in each index that map to the given
*/
public class PerIocTypeFieldMappings {

private final String iocType;
private final Map<String, List<String>> indexToFieldsMap;

public PerIocTypeFieldMappings(String iocType, Map<String, List<String>> indexToFieldsMap) {
this.iocType = iocType;
this.indexToFieldsMap = indexToFieldsMap;
}

public String getIocType() {
return iocType;
}

public Map<String, List<String>> getIndexToFieldsMap() {
return indexToFieldsMap;
}
}
26 changes: 26 additions & 0 deletions src/main/java/org/opensearch/securityanalytics/threatIntel/iocscan/model/Ioc.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package org.opensearch.securityanalytics.threatIntel.iocscan.model;

public class Ioc {

private final String feedId;
private final String iocValue;
private final String iocType;

public Ioc(String feedId, String iocValue, String iocType) {
this.feedId = feedId;
this.iocValue = iocValue;
this.iocType = iocType;
}

public String getFeedId() {
return feedId;
}

public String getIocValue() {
return iocValue;
}

public String getIocType() {
return iocType;
}
}
30 changes: 30 additions & 0 deletions src/main/java/org/opensearch/securityanalytics/threatIntel/iocscan/model/IocScanMonitor.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
package org.opensearch.securityanalytics.threatIntel.iocscan.model;

import org.opensearch.securityanalytics.threatIntel.iocscan.dto.PerIocTypeFieldMappings;

import java.util.List;
import java.util.Map;


public class IocScanMonitor {
String id;
String name;
List<PerIocTypeFieldMappings> iocTypeToIndexFieldMappings;
Map<String, List<String>> perIoCTypeThreatIntelIndices;

public String getId() {
return id;
}

public String getName() {
return name;
}

public List<PerIocTypeFieldMappings> getIocTypeToIndexFieldMappings() {
return iocTypeToIndexFieldMappings;
}

public Map<String, List<String>> getPerIoCTypeThreatIntelIndices() {
return perIoCTypeThreatIntelIndices;
}
}
Loading

0 comments on commit f2229e2

Please sign in to comment.