Skip to content

Commit

Permalink
fix ioc type enum (opensearch-project#1122)
Browse files Browse the repository at this point in the history
* Fixed mapping.

Signed-off-by: AWSHurneyt <[email protected]>

* Fixed tests.

Signed-off-by: AWSHurneyt <[email protected]>

* Updated jar.

Signed-off-by: AWSHurneyt <[email protected]>

* Fixed test.

Signed-off-by: AWSHurneyt <[email protected]>

* replace hyphen with underscore in ioc type

Signed-off-by: Surya Sashank Nistala <[email protected]>

---------

Signed-off-by: AWSHurneyt <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
Co-authored-by: AWSHurneyt <[email protected]>
  • Loading branch information
2 people authored and jowg-amazon committed Jul 2, 2024
1 parent 465a897 commit a83c7d2
Show file tree
Hide file tree
Showing 7 changed files with 19 additions and 20 deletions.
Binary file modified security-analytics-commons-1.0.0.jar
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ public ActionRequestValidationException validate() {
for (String type : types) {
if (!ALL_TYPES_FILTER.equalsIgnoreCase(type)) {
try {
IOCType.valueOf(type);
IOCType.fromString(type);
} catch (IllegalArgumentException e) {
validationException = ValidateActions
.addValidationError(String.format("Unrecognized [%s] param.", TYPE_FIELD), validationException);
Expand Down
4 changes: 3 additions & 1 deletion src/main/resources/mappings/stix2_ioc_mapping.json
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
},
"properties": {
"stix2_ioc": {
"dynamic": "false",
"properties": {
"name": {
"type": "keyword"
Expand Down Expand Up @@ -35,6 +34,9 @@
},
"feed_id": {
"type": "keyword"
},
"feed_name": {
"type": "keyword"
}
}
}
Expand Down
7 changes: 2 additions & 5 deletions src/main/resources/mappings/threat_intel_job_mapping.json
Original file line number Diff line number Diff line change
Expand Up @@ -184,13 +184,10 @@
"hashes": {
"type": "text"
},
"ip": {
"ipv4_addr": {
"type": "text"
},
"ipv4-appr": {
"type": "text"
},
"ipv6-appr": {
"ipv6_addr": {
"type": "text"
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ public void testCreateSATIFSourceConfigAndVerifyJobRan() throws IOException, Int
// Generate test IOCs, and upload them to S3 to create the bucket object. Feed creation fails if the bucket object doesn't exist.
int numOfIOCs = 1;
stix2IOCGenerator = new STIX2IOCGenerator();
stix2IOCGenerator.setType(IOCType.ip);
stix2IOCGenerator.setType(IOCType.ipv4_addr);
s3ObjectGenerator.write(numOfIOCs, objectKey, stix2IOCGenerator);
assertEquals("Incorrect number of test IOCs generated.", numOfIOCs, stix2IOCGenerator.getIocs().size());

Expand Down Expand Up @@ -266,7 +266,7 @@ public void testDeleteSATIFSourceConfig() throws IOException {
// Generate test IOCs, and upload them to S3 to create the bucket object. Feed creation fails if the bucket object doesn't exist.
int numOfIOCs = 1;
stix2IOCGenerator = new STIX2IOCGenerator();
stix2IOCGenerator.setType(IOCType.ip);
stix2IOCGenerator.setType(IOCType.ipv4_addr);
s3ObjectGenerator.write(numOfIOCs, objectKey, stix2IOCGenerator);
assertEquals("Incorrect number of test IOCs generated.", numOfIOCs, stix2IOCGenerator.getIocs().size());

Expand Down Expand Up @@ -335,7 +335,7 @@ public void testRetrieveIOCsSuccessfully() throws IOException, InterruptedExcept
// Generate test IOCs, and upload them to S3
int numOfIOCs = 5;
stix2IOCGenerator = new STIX2IOCGenerator();
stix2IOCGenerator.setType(IOCType.ip);
stix2IOCGenerator.setType(IOCType.ipv4_addr);
s3ObjectGenerator.write(numOfIOCs, objectKey, stix2IOCGenerator);
assertEquals("Incorrect number of test IOCs generated.", numOfIOCs, stix2IOCGenerator.getIocs().size());

Expand All @@ -344,7 +344,7 @@ public void testRetrieveIOCsSuccessfully() throws IOException, InterruptedExcept
String feedFormat = "STIX2";
SourceConfigType sourceConfigType = SourceConfigType.S3_CUSTOM;
IntervalSchedule schedule = new IntervalSchedule(Instant.now(), 1, ChronoUnit.MINUTES);
List<String> iocTypes = List.of(IOCType.ip.toString());
List<String> iocTypes = List.of(IOCType.ipv4_addr.toString());

SATIFSourceConfigDto saTifSourceConfigDto = new SATIFSourceConfigDto(
null,
Expand Down Expand Up @@ -409,7 +409,7 @@ public void testRetrieveIOCsSuccessfully() throws IOException, InterruptedExcept
// Confirm expected IOCs have been ingested
for (int i = 0; i < numOfIOCs; i++) {
assertEquals(stix2IOCGenerator.getIocs().get(i).getName(), iocs.get(i).get(STIX2IOC.NAME_FIELD));
assertEquals(stix2IOCGenerator.getIocs().get(i).getType().toString(), iocs.get(i).get(STIX2IOC.TYPE_FIELD));
assertEquals(stix2IOCGenerator.getIocs().get(i).getType(), IOCType.fromString((String) iocs.get(i).get(STIX2IOC.TYPE_FIELD)));
assertEquals(stix2IOCGenerator.getIocs().get(i).getValue(), iocs.get(i).get(STIX2IOC.VALUE_FIELD));
assertEquals(stix2IOCGenerator.getIocs().get(i).getSeverity(), iocs.get(i).get(STIX2IOC.SEVERITY_FIELD));

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ public void testCreateIocUploadSourceConfig() throws IOException {
List<STIX2IOCDto> iocs = List.of(new STIX2IOCDto(
"id",
"name",
IOCType.ip,
IOCType.ipv4_addr,
"value",
"severity",
null,
Expand All @@ -58,7 +58,7 @@ public void testCreateIocUploadSourceConfig() throws IOException {

IocUploadSource iocUploadSource = new IocUploadSource(null, iocs);
Boolean enabled = false;
List<String> iocTypes = List.of("ip");
List<String> iocTypes = List.of("ipv4_addr");
SATIFSourceConfigDto saTifSourceConfigDto = new SATIFSourceConfigDto(
null,
null,
Expand Down Expand Up @@ -128,7 +128,7 @@ public void testCreateIocUploadSourceConfig() throws IOException {
iocHits = (List<Map<String, Object>>) respMap.get(ListIOCsActionResponse.HITS_FIELD);
assertEquals(iocs.size(), iocHits.size());
// Retrieve all IOCs by ip types
iocResponse = makeRequest(client(), "GET", STIX2IOCGenerator.getListIOCsURI(), Map.of(ListIOCsActionRequest.TYPE_FIELD, "ip,domain"), null);
iocResponse = makeRequest(client(), "GET", STIX2IOCGenerator.getListIOCsURI(), Map.of(ListIOCsActionRequest.TYPE_FIELD, "ipv4_addr,domain_name"), null);
Assert.assertEquals(200, iocResponse.getStatusLine().getStatusCode());
respMap = asMap(iocResponse);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ private void indexIocs(List<String> iocVals, String iocIndexName, int i1, String
STIX2IOC stix2IOC = new STIX2IOC(
iocId,
"random",
IOCType.ip,
IOCType.ipv4_addr,
iocVals.get(i1),
"",
Instant.now(),
Expand Down Expand Up @@ -96,8 +96,8 @@ private void indexTifSourceConfig(int num, String configId, String iocIndexName,
null,
null,
false,
new DefaultIocStoreConfig(Map.of("ip", List.of(iocIndexName))),
List.of("ip")
new DefaultIocStoreConfig(Map.of("ipv4_addr", List.of(iocIndexName))),
List.of("ipv4_addr")
);
String indexName = SecurityAnalyticsPlugin.JOB_INDEX_NAME;
Response response = indexDoc(indexName, configId, config.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS).toString());
Expand Down Expand Up @@ -230,8 +230,8 @@ public static String getMatchAllRequest() {
}

public static ThreatIntelMonitorDto randomIocScanMonitorDto(String index) {
ThreatIntelTriggerDto t1 = new ThreatIntelTriggerDto(List.of(index, "randomIndex"), List.of("ip", "domain"), emptyList(), "match", null, "severity");
ThreatIntelTriggerDto t2 = new ThreatIntelTriggerDto(List.of("randomIndex"), List.of("domain"), emptyList(), "nomatch", null, "severity");
ThreatIntelTriggerDto t1 = new ThreatIntelTriggerDto(List.of(index, "randomIndex"), List.of("ipv4_addr", "domain-name"), emptyList(), "match", null, "severity");
ThreatIntelTriggerDto t2 = new ThreatIntelTriggerDto(List.of("randomIndex"), List.of("domain-name"), emptyList(), "nomatch", null, "severity");
ThreatIntelTriggerDto t3 = new ThreatIntelTriggerDto(emptyList(), List.of("domain"), emptyList(), "domainmatchsonomatch", null, "severity");
ThreatIntelTriggerDto t4 = new ThreatIntelTriggerDto(List.of(index), emptyList(), emptyList(), "indexmatch", null, "severity");

Expand Down

0 comments on commit a83c7d2

Please sign in to comment.