Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add search ioc findings api #6

Closed
wants to merge 13 commits into from
Closed

add search ioc findings api #6

wants to merge 13 commits into from

Conversation

sbcd90
Copy link

@sbcd90 sbcd90 commented Jun 17, 2024

Description

[Describe what this change achieves]

Issues Resolved

[List any issues this PR will resolve]

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

jowg-amazon and others added 12 commits May 21, 2024 13:30
@jowg-amazon
refactored classes (opensearch-project#1037)
0e77770 
Signed-off-by: Joanne Wang <jowg@amazon.com>
@jowg-amazon
refactored classes (opensearch-project#1037)
b2b156e 
Signed-off-by: Joanne Wang <jowg@amazon.com>
@jowg-amazon
Merge branch 'feature/threat_intel' of https://github.com/opensearch-…
cadd169 
…project/security-analytics into feature/threat_intel
@eirsep
ioc match model (opensearch-project#1038)
76de7ad 
Signed-off-by: Surya Sashank Nistala <snistala@amazon.com>
@jowg-amazon
Threat Intel Feed Config Model (opensearch-project#1028)
a99ca4d
@AWSHurneyt
IOC data model and DTO. (opensearch-project#1029)
26f9b0c 
* Rough draft of IOC data model.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Changed IOC value from a list to a string.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Added validation for IOC type, value, and feedId fields.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Refactored IocType to for ipv4, and ipv6.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Refactored IocType.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

* Added unit tests.

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>

---------

Signed-off-by: AWSHurneyt <hurneyt@amazon.com>
@jowg-amazon
Create TIF Source Config API (opensearch-project#1046)
1935ed2 
* create tif source config api implementation

Signed-off-by: Joanne Wang <jowg@amazon.com>

* clean up

Signed-off-by: Joanne Wang <jowg@amazon.com>

* tif/source

Signed-off-by: Joanne Wang <jowg@amazon.com>

* fix uri

Signed-off-by: Joanne Wang <jowg@amazon.com>

* comments

Signed-off-by: Joanne Wang <jowg@amazon.com>

* fix error message

Signed-off-by: Joanne Wang <jowg@amazon.com>

* moved createIndex invocation and other comments

Signed-off-by: Joanne Wang <jowg@amazon.com>

---------

Signed-off-by: Joanne Wang <jowg@amazon.com>
@jowg-amazon
Get TIF Source Config API (opensearch-project#1049)
243a0ca 
* create tif source config api implementation

Signed-off-by: Joanne Wang <jowg@amazon.com>

* clean up

Signed-off-by: Joanne Wang <jowg@amazon.com>

* getTIFSourceConfig API

Signed-off-by: Joanne Wang <jowg@amazon.com>

* clean up

Signed-off-by: Joanne Wang <jowg@amazon.com>

* more cleanup

Signed-off-by: Joanne Wang <jowg@amazon.com>

* remove runner

Signed-off-by: Joanne Wang <jowg@amazon.com>

* add unit serialization tests

Signed-off-by: Joanne Wang <jowg@amazon.com>

---------

Signed-off-by: Joanne Wang <jowg@amazon.com>
@eirsep
ioc scan business logic
d956c12
@eirsep
ioc match service
e4c3cbd
@eirsep
test failing due to node closed
42372a0
@sbcd90
add search ioc findings api
2976be0 
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
@sbcd90 sbcd90 requested a review from eirsep as a code owner June 17, 2024 03:36
eirsep
eirsep reviewed Jun 17, 2024
View reviewed changes
src/main/java/org/opensearch/securityanalytics/threatIntel/action/GetIocFindingsAction.java
public class GetIocFindingsAction extends ActionType<GetIocFindingsResponse> {

public static final GetIocFindingsAction INSTANCE = new GetIocFindingsAction();
public static final String NAME = "cluster:admin/opensearch/securityanalytics/ioc/findings/get";
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

plz use prefix THREAT_INTEL_BASE_URI

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is action name.

eirsep
eirsep reviewed Jun 17, 2024
View reviewed changes
src/main/java/org/opensearch/securityanalytics/threatIntel/iocscan/dao/IocMatchService.java Outdated
public IocMatchService(final Client client, final ClusterService clusterService) {
private final NamedXContentRegistry xContentRegistry;

public IocMatchService(final Client client, final ClusterService clusterService, final NamedXContentRegistry xContentRegistry) {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

plz rename to IocFindingService (and model to ioc findings

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed it.

eirsep
eirsep requested changes Jun 17, 2024
View reviewed changes
Copy link
Owner

@eirsep eirsep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

plz add rest tests

eirsep
eirsep reviewed Jun 17, 2024
View reviewed changes
.../java/org/opensearch/securityanalytics/threatIntel/resthandler/RestGetIocFindingsAction.java Outdated

@Override
protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
String threatIntelMonitorId = request.param("monitor_id");
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this mandatory?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed it.

eirsep
eirsep reviewed Jun 17, 2024
View reviewed changes
.../java/org/opensearch/securityanalytics/threatIntel/resthandler/RestGetIocFindingsAction.java

String sortString = request.param("sortString", "timestamp");
String sortOrder = request.param("sortOrder", "asc");
String missing = request.param("missing");
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://www.elastic.co/guide/en/elasticsearch/reference/current/sort-search-results.html#_missing_values

eirsep
eirsep reviewed Jun 17, 2024
View reviewed changes
src/main/java/org/opensearch/securityanalytics/threatIntel/iocscan/dao/IocMatchService.java Outdated
}

@Override
public void onFailure(Exception e) {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return empty list for indexnotfound exception

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed it.

@sbcd90
address comments
b09afc1 
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
@sbcd90
Copy link
Author

sbcd90 commented Jun 17, 2024

plz add rest tests

added a rest test.

@AWSHurneyt
Copy link

@sbcd90 We'd like to use this API in the ListIOCs API to return the number of matches/findings for each of the IOCs returned in the list. There could possibly be thousands of IOCs returned in that list response. Is there a way to return the findings for just those IOCs?

@eirsep
Copy link
Owner

eirsep commented Jun 19, 2024

@sbcd90 We'd like to use this API in the ListIOCs API to return the number of matches/findings for each of the IOCs returned in the list. There could possibly be thousands of IOCs returned in that list response. Is there a way to return the findings for just those IOCs?

+1
plz add a param for querying findings for a list of IoC's

AWSHurneyt
AWSHurneyt reviewed Jun 19, 2024
View reviewed changes
...va/org/opensearch/securityanalytics/threatIntel/transport/TransportGetIocFindingsAction.java
QueryBuilders.boolQuery()
.must(
QueryBuilders
.queryStringQuery(tableProp.getSearchString())
Copy link

@AWSHurneyt AWSHurneyt Jun 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sbcd90 I'm wondering if the way to go about the question in #6 (comment) is to supply the IOC value in the searchString? If so, this query builder would need to also search the finding iocValue field.

That might not be the best approach though since it would also return hits with tags, or names that coincidentally match the value.

@eirsep eirsep changed the base branch from ioc to tim June 20, 2024 10:42
@eirsep eirsep changed the base branch from tim to ioc June 20, 2024 10:57
@sbcd90 sbcd90 closed this Jul 1, 2024
eirsep pushed a commit that referenced this pull request Jul 10, 2024
@AWSHurneyt
Merge pull request #6 from jowg-amazon/remove_ioc_duplicates
ca1e116 
Remove duplicate ioc types
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eirsep eirsep eirsep requested changes

@AWSHurneyt AWSHurneyt AWSHurneyt left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@sbcd90 @AWSHurneyt @eirsep @jowg-amazon