-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add search ioc findings api #6
Conversation
Signed-off-by: Joanne Wang <jowg@amazon.com>
Signed-off-by: Joanne Wang <jowg@amazon.com>
…project/security-analytics into feature/threat_intel
Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>
* Rough draft of IOC data model. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Changed IOC value from a list to a string. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Added validation for IOC type, value, and feedId fields. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Refactored IocType to for ipv4, and ipv6. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Refactored IocType. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> * Added unit tests. Signed-off-by: AWSHurneyt <hurneyt@amazon.com> --------- Signed-off-by: AWSHurneyt <hurneyt@amazon.com>
* create tif source config api implementation Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * tif/source Signed-off-by: Joanne Wang <jowg@amazon.com> * fix uri Signed-off-by: Joanne Wang <jowg@amazon.com> * comments Signed-off-by: Joanne Wang <jowg@amazon.com> * fix error message Signed-off-by: Joanne Wang <jowg@amazon.com> * moved createIndex invocation and other comments Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Joanne Wang <jowg@amazon.com>
* create tif source config api implementation Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * getTIFSourceConfig API Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * more cleanup Signed-off-by: Joanne Wang <jowg@amazon.com> * remove runner Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit serialization tests Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Joanne Wang <jowg@amazon.com>
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
public class GetIocFindingsAction extends ActionType<GetIocFindingsResponse> { | ||
|
||
public static final GetIocFindingsAction INSTANCE = new GetIocFindingsAction(); | ||
public static final String NAME = "cluster:admin/opensearch/securityanalytics/ioc/findings/get"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plz use prefix THREAT_INTEL_BASE_URI
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is action name.
public IocMatchService(final Client client, final ClusterService clusterService) { | ||
private final NamedXContentRegistry xContentRegistry; | ||
|
||
public IocMatchService(final Client client, final ClusterService clusterService, final NamedXContentRegistry xContentRegistry) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plz rename to IocFindingService (and model to ioc findings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plz add rest tests
|
||
@Override | ||
protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException { | ||
String threatIntelMonitorId = request.param("monitor_id"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this mandatory?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed it.
|
||
String sortString = request.param("sortString", "timestamp"); | ||
String sortOrder = request.param("sortOrder", "asc"); | ||
String missing = request.param("missing"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} | ||
|
||
@Override | ||
public void onFailure(Exception e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return empty list for indexnotfound exception
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed it.
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
added a rest test. |
@sbcd90 We'd like to use this API in the ListIOCs API to return the number of matches/findings for each of the IOCs returned in the list. There could possibly be thousands of IOCs returned in that list response. Is there a way to return the findings for just those IOCs? |
+1 |
QueryBuilders.boolQuery() | ||
.must( | ||
QueryBuilders | ||
.queryStringQuery(tableProp.getSearchString()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sbcd90 I'm wondering if the way to go about the question in #6 (comment) is to supply the IOC value in the searchString
? If so, this query builder would need to also search the finding iocValue
field.
That might not be the best approach though since it would also return hits with tags, or names that coincidentally match the value.
Description
[Describe what this change achieves]
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.