Skip to content

Commit

Permalink
add category to custom log types (#634)
Browse files Browse the repository at this point in the history
Signed-off-by: Subhobrata Dey <[email protected]>
  • Loading branch information
sbcd90 authored Oct 4, 2023
1 parent 03573e9 commit 5781c85
Show file tree
Hide file tree
Showing 6 changed files with 173 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,10 @@ public ActionRequestValidationException validate() {
if (!find) {
throw new ActionRequestValidationException();
}
String category = customLogType.getCategory();
if (!CustomLogType.VALID_LOG_CATEGORIES.contains(category)) {
throw new ActionRequestValidationException();
}
return null;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import org.opensearch.core.xcontent.XContentParserUtils;

import java.io.IOException;
import java.util.List;
import java.util.Map;

import static org.opensearch.securityanalytics.action.IndexCustomLogTypeResponse.CUSTOM_LOG_TYPES_FIELD;
Expand All @@ -27,11 +28,23 @@ public class CustomLogType implements Writeable, ToXContentObject {

private static final Logger log = LogManager.getLogger(CustomLogType.class);

public static final List<String> VALID_LOG_CATEGORIES = List.of(
"Access Management",
"Applications",
"Cloud Services",
"Network Activity",
"Security",
"System Activity",
"Other"
);

public static final String CUSTOM_LOG_TYPE_ID_FIELD = "custom_logtype_id";

private static final String NAME_FIELD = "name";

private static final String DESCRIPTION_FIELD = "description";

private static final String CATEGORY_FIELD = "category";
private static final String SOURCE_FIELD = "source";

private static final String TAGS_FIELD = "tags";
Expand All @@ -44,6 +57,8 @@ public class CustomLogType implements Writeable, ToXContentObject {

private String description;

private String category;

private String source;

private Map<String, Object> tags;
Expand All @@ -58,12 +73,14 @@ public CustomLogType(String id,
Long version,
String name,
String description,
String category,
String source,
Map<String, Object> tags) {
this.id = id != null ? id : NO_ID;
this.version = version != null ? version : NO_VERSION;
this.name = name;
this.description = description;
this.category = category != null? category: "Other";
this.source = source;
this.tags = tags;
}
Expand All @@ -75,6 +92,7 @@ public CustomLogType(StreamInput sin) throws IOException {
sin.readString(),
sin.readString(),
sin.readString(),
sin.readString(),
sin.readMap()
);
}
Expand All @@ -86,6 +104,7 @@ public CustomLogType(Map<String, Object> input) {
null,
input.get(NAME_FIELD).toString(),
input.get(DESCRIPTION_FIELD).toString(),
input.containsKey(CATEGORY_FIELD)? input.get(CATEGORY_FIELD).toString(): null,
input.get(SOURCE_FIELD).toString(),
(Map<String, Object>) input.get(TAGS_FIELD)
);
Expand All @@ -97,6 +116,7 @@ public void writeTo(StreamOutput out) throws IOException {
out.writeLong(version);
out.writeString(name);
out.writeString(description);
out.writeString(category);
out.writeString(source);
out.writeMap(tags);
}
Expand All @@ -106,6 +126,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
return builder.startObject()
.field(NAME_FIELD, name)
.field(DESCRIPTION_FIELD, description)
.field(CATEGORY_FIELD, category)
.field(SOURCE_FIELD, source)
.field(TAGS_FIELD, tags)
.endObject();
Expand All @@ -121,6 +142,7 @@ public static CustomLogType parse(XContentParser xcp, String id, Long version) t

String name = null;
String description = null;
String category = null;
String source = null;
Map<String, Object> tags = null;

Expand All @@ -136,6 +158,9 @@ public static CustomLogType parse(XContentParser xcp, String id, Long version) t
case DESCRIPTION_FIELD:
description = xcp.text();
break;
case CATEGORY_FIELD:
category = xcp.textOrNull();
break;
case SOURCE_FIELD:
source = xcp.text();
break;
Expand All @@ -146,7 +171,7 @@ public static CustomLogType parse(XContentParser xcp, String id, Long version) t
xcp.skipChildren();
}
}
return new CustomLogType(id, version, name, description, source, tags);
return new CustomLogType(id, version, name, description, category, source, tags);
}

public static CustomLogType readFrom(StreamInput sin) throws IOException {
Expand Down Expand Up @@ -177,6 +202,10 @@ public String getDescription() {
return description;
}

public String getCategory() {
return category;
}

public String getSource() {
return source;
}
Expand Down
24 changes: 23 additions & 1 deletion src/main/resources/OSMapping/logtypes.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"others_application": {
"name": "others_application",
"description": "Application logs",
"category": "Other",
"source": "Sigma",
"tags": {
"correlation_id": 0
Expand All @@ -10,6 +11,7 @@
"others_apt": {
"name": "others_apt",
"description": "Apt logs",
"category": "Other",
"source": "Sigma",
"tags": {
"correlation_id": 1
Expand All @@ -18,6 +20,7 @@
"others_cloud": {
"name": "others_cloud",
"description": "Cloud logs",
"category": "Other",
"source": "Sigma",
"tags": {
"correlation_id": 2
Expand All @@ -26,6 +29,7 @@
"others_compliance": {
"name": "others_compliance",
"description": "Compliance logs",
"category": "Other",
"source": "Sigma",
"tags": {
"correlation_id": 4
Expand All @@ -34,6 +38,7 @@
"linux": {
"name": "linux",
"description": "Sys logs",
"category": "System Activity",
"source": "Sigma",
"tags": {
"correlation_id": 5
Expand All @@ -42,6 +47,7 @@
"others_macos": {
"name": "others_macos",
"description": "MacOS logs",
"category": "System Activity",
"source": "Sigma",
"tags": {
"correlation_id": 6
Expand All @@ -50,6 +56,7 @@
"network": {
"name": "network",
"description": "Network logs",
"category": "Network Activity",
"source": "Sigma",
"tags": {
"correlation_id": 7
Expand All @@ -58,6 +65,7 @@
"others_proxy": {
"name": "others_proxy",
"description": "Proxy logs",
"category": "Other",
"source": "Sigma",
"tags": {
"correlation_id": 8
Expand All @@ -66,6 +74,7 @@
"others_web": {
"name": "others_web",
"description": "Web logs",
"category": "Other",
"source": "Sigma",
"tags": {
"correlation_id": 9
Expand All @@ -74,6 +83,7 @@
"windows": {
"name": "windows",
"description": "Windows logs",
"category": "System Activity",
"source": "Sigma",
"tags": {
"correlation_id": 10
Expand All @@ -82,14 +92,16 @@
"ad_ldap": {
"name": "ad_ldap",
"description": "Ad/ldap logs",
"category": "Access Management",
"source": "Sigma",
"tags": {
"correlation_id": 11
}
},
"apache_access": {
"name": "apache_access",
"description": "Apt logs",
"description": "Apache Access logs",
"category": "Access Management",
"source": "Sigma",
"tags": {
"correlation_id": 12
Expand All @@ -98,6 +110,7 @@
"cloudtrail": {
"name": "cloudtrail",
"description": "Cloudtrail Raw or OCSF based logs",
"category": "Cloud Services",
"source": "Sigma",
"tags": {
"correlation_id": 14
Expand All @@ -106,6 +119,7 @@
"dns": {
"name": "dns",
"description": "DNS Raw or Route53 OCSF based logs",
"category": "Network Activity",
"source": "Sigma",
"tags": {
"correlation_id": 15
Expand All @@ -114,6 +128,7 @@
"github": {
"name": "github",
"description": "Github logs",
"category": "Applications",
"source": "Sigma",
"tags": {
"correlation_id": 16
Expand All @@ -122,6 +137,7 @@
"m365": {
"name": "m365",
"description": "M365 logs",
"category": "Applications",
"source": "Sigma",
"tags": {
"correlation_id": 17
Expand All @@ -130,6 +146,7 @@
"gworkspace": {
"name": "gworkspace",
"description": "GWorkspace logs",
"category": "Applications",
"source": "Sigma",
"tags": {
"correlation_id": 18
Expand All @@ -138,6 +155,7 @@
"okta": {
"name": "okta",
"description": "Okta logs",
"category": "Access Management",
"source": "Sigma",
"tags": {
"correlation_id": 19
Expand All @@ -146,6 +164,7 @@
"azure": {
"name": "azure",
"description": "Azure logs",
"category": "Cloud Services",
"source": "Sigma",
"tags": {
"correlation_id": 20
Expand All @@ -154,6 +173,7 @@
"s3": {
"name": "s3",
"description": "S3 logs",
"category": "Cloud Services",
"source": "Sigma",
"tags": {
"correlation_id": 21
Expand All @@ -162,6 +182,7 @@
"test_windows": {
"name": "test_windows",
"description": "Test Windows Log Type for integ tests. Please do not use.",
"category": "Other",
"source": "Sigma",
"tags": {
"correlation_id": 22
Expand All @@ -170,6 +191,7 @@
"vpcflow": {
"name": "vpcflow",
"description": "VPC Flow Raw or OCSF based logs",
"category": "Network Activity",
"source": "Sigma",
"tags": {
"correlation_id": 23
Expand Down
11 changes: 10 additions & 1 deletion src/main/resources/mappings/log_type_config_mapping.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"_meta" : {
"schema_version": 1
"schema_version": 2
},
"dynamic_templates": [
{
Expand Down Expand Up @@ -50,6 +50,15 @@
}
}
},
"category": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"source": {
"type": "text",
"fields": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -147,17 +147,20 @@ public static Detector randomDetector(String name,
return new Detector(null, null, name, enabled, schedule, lastUpdateTime, enabledTime, detectorType, user, inputs, triggers, Collections.singletonList(""), "", "", "", "", "", "", Collections.emptyMap(), Collections.emptyList());
}

public static CustomLogType randomCustomLogType(String name, String description, String source) {
public static CustomLogType randomCustomLogType(String name, String description, String category, String source) {
if (name == null) {
name = "custom-log-type";
}
if (description == null) {
description = "custom-log-type-desc";
}
if (category == null) {
category = "Other";
}
if (source == null) {
source = "Sigma";
}
return new CustomLogType(null, null, name, description, source, null);
return new CustomLogType(null, null, name, description, category, source, null);
}

public static Detector randomDetectorWithNoUser() {
Expand Down
Loading

0 comments on commit 5781c85

Please sign in to comment.