From 72a75ab222e9ae7fbb559acb353f369572c1120e Mon Sep 17 00:00:00 2001 From: AWSHurneyt Date: Thu, 23 May 2024 16:34:44 -0700 Subject: [PATCH] Refactored IocType. Signed-off-by: AWSHurneyt --- .../SecurityAnalyticsPlugin.java | 9 +++ .../securityanalytics/model/IocDao.java | 70 ++++++++++++------- .../securityanalytics/model/IocDto.java | 57 +++++++++++++++ 3 files changed, 112 insertions(+), 24 deletions(-) diff --git a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java index 652b438df..534cd04d9 100644 --- a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java +++ b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java @@ -7,6 +7,7 @@ import java.util.Collection; import java.util.Collections; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.function.Supplier; import java.util.Optional; @@ -61,6 +62,7 @@ import org.opensearch.securityanalytics.mapper.IndexTemplateManager; import org.opensearch.securityanalytics.mapper.MapperService; import org.opensearch.securityanalytics.model.CustomLogType; +import org.opensearch.securityanalytics.model.IocDao; import org.opensearch.securityanalytics.model.ThreatIntelFeedData; import org.opensearch.securityanalytics.resthandler.*; import org.opensearch.securityanalytics.threatIntel.service.DetectorThreatIntelService; @@ -103,10 +105,17 @@ public class SecurityAnalyticsPlugin extends Plugin implements ActionPlugin, Map public static final String FINDINGS_CORRELATE_URI = FINDINGS_BASE_URI + "/correlate"; public static final String LIST_CORRELATIONS_URI = PLUGINS_BASE_URI + "/correlations"; public static final String CORRELATION_RULES_BASE_URI = PLUGINS_BASE_URI + "/correlation/rules"; + public static final String IOC_BASE_URI = PLUGINS_BASE_URI + "/ioc"; + public static final String IOC_FETCH_BASE_URI = IOC_BASE_URI + "/fetch"; public static final String CUSTOM_LOG_TYPE_URI = PLUGINS_BASE_URI + "/logtype"; public static final String JOB_INDEX_NAME = ".opensearch-sap--job"; public static final Map TIF_JOB_INDEX_SETTING = Map.of(IndexMetadata.SETTING_NUMBER_OF_SHARDS, 1, IndexMetadata.SETTING_AUTO_EXPAND_REPLICAS, "0-all", IndexMetadata.SETTING_INDEX_HIDDEN, true); + public static final String IOC_INDEX_NAME_BASE = ".opensearch-sap-ioc"; + public static final String IOC_ALL_INDEX_PATTERN = IOC_INDEX_NAME_BASE + "-*"; + public static final String IOC_DOMAIN_INDEX_NAME = IOC_INDEX_NAME_BASE + IocDao.IocType.DOMAIN.name().toLowerCase(Locale.ROOT); + public static final String IOC_HASH_INDEX_NAME = IOC_INDEX_NAME_BASE + IocDao.IocType.HASH.name().toLowerCase(Locale.ROOT); + public static final String IOC_IP_INDEX_NAME = IOC_INDEX_NAME_BASE + IocDao.IocType.IP.name().toLowerCase(Locale.ROOT); private CorrelationRuleIndices correlationRuleIndices; diff --git a/src/main/java/org/opensearch/securityanalytics/model/IocDao.java b/src/main/java/org/opensearch/securityanalytics/model/IocDao.java index ba2f4b1fc..6719af006 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/IocDao.java +++ b/src/main/java/org/opensearch/securityanalytics/model/IocDao.java @@ -14,6 +14,7 @@ import org.opensearch.core.xcontent.XContentBuilder; import org.opensearch.core.xcontent.XContentParser; import org.opensearch.core.xcontent.XContentParserUtils; + import java.io.IOException; import java.time.Instant; import java.util.Arrays; @@ -21,11 +22,15 @@ import java.util.List; import java.util.Locale; -import static org.opensearch.securityanalytics.model.Detector.NO_ID; +import static org.opensearch.securityanalytics.SecurityAnalyticsPlugin.IOC_DOMAIN_INDEX_NAME; +import static org.opensearch.securityanalytics.SecurityAnalyticsPlugin.IOC_HASH_INDEX_NAME; +import static org.opensearch.securityanalytics.SecurityAnalyticsPlugin.IOC_IP_INDEX_NAME; public class IocDao implements Writeable, ToXContentObject { private static final Logger logger = LogManager.getLogger(IocDao.class); + public static final String NO_ID = ""; + static final String ID_FIELD = "id"; static final String NAME_FIELD = "name"; static final String TYPE_FIELD = "type"; @@ -93,6 +98,26 @@ public IocDao(StreamInput sin) throws IOException { ); } + public IocDao(IocDto iocDto) { + this( + iocDto.getId(), + iocDto.getName(), + iocDto.getType(), + iocDto.getValue(), + iocDto.getSeverity(), + iocDto.getSpecVersion(), + iocDto.getCreated(), + iocDto.getModified(), + iocDto.getDescription(), + iocDto.getLabels(), + iocDto.getFeedId() + ); + } + + public static IocDao readFrom(StreamInput sin) throws IOException { + return new IocDao(sin); + } + @Override public void writeTo(StreamOutput out) throws IOException { out.writeString(id); @@ -283,30 +308,27 @@ public String getFeedId() { } public enum IocType { - DOMAIN("domain-name"), - HASH("hash"), // TODO placeholder - IP("ipv4-addr", "ipv6-addr"); - - private final String[] types; - - IocType(String... types) { - this.types = types; - } + DOMAIN("domain") { + @Override + public String getSystemIndexName() { + return IOC_DOMAIN_INDEX_NAME; + } + }, + HASH("hash") { // TODO placeholder + @Override + public String getSystemIndexName() { + return IOC_HASH_INDEX_NAME; + } + }, + IP("ip") { + @Override + public String getSystemIndexName() { + return IOC_IP_INDEX_NAME; + } + }; - public String[] getTypes() { - return types; - } + IocType(String type) {} - public IocType fromString(String type) { - for (IocType enumValue : values()) { - for (String enumType : enumValue.getTypes()) { - if (enumType.equals(type.toLowerCase(Locale.ROOT))) { - return enumValue; - } - } - } - logger.debug("Unsupported IocType: {}", type); - throw new IllegalArgumentException(String.format("[%s] is not supported.", TYPE_FIELD)); - } + public abstract String getSystemIndexName(); } } diff --git a/src/main/java/org/opensearch/securityanalytics/model/IocDto.java b/src/main/java/org/opensearch/securityanalytics/model/IocDto.java index 5bf25f70e..ca9163cf8 100644 --- a/src/main/java/org/opensearch/securityanalytics/model/IocDto.java +++ b/src/main/java/org/opensearch/securityanalytics/model/IocDto.java @@ -12,9 +12,14 @@ import org.opensearch.core.common.io.stream.Writeable; import org.opensearch.core.xcontent.ToXContentObject; import org.opensearch.core.xcontent.XContentBuilder; +import org.opensearch.core.xcontent.XContentParser; +import org.opensearch.core.xcontent.XContentParserUtils; + import java.io.IOException; import java.time.Instant; +import java.util.Collections; import java.util.List; +import java.util.Locale; public class IocDto implements Writeable, ToXContentObject { private static final Logger logger = LogManager.getLogger(IocDto.class); @@ -49,6 +54,10 @@ public IocDto(StreamInput sin) throws IOException { this(new IocDao(sin)); } + public static IocDto readFrom(StreamInput sin) throws IOException { + return new IocDto(sin); + } + @Override public void writeTo(StreamOutput out) throws IOException { out.writeString(id); @@ -80,4 +89,52 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws .field(IocDao.FEED_ID_FIELD, feedId) .endObject(); } + + public static IocDto parse(XContentParser xcp, String id) throws IOException { + return new IocDto(IocDao.parse(xcp, id)); + } + + public String getId() { + return id; + } + + public String getName() { + return name; + } + + public IocDao.IocType getType() { + return type; + } + + public String getValue() { + return value; + } + + public String getSeverity() { + return severity; + } + + public String getSpecVersion() { + return specVersion; + } + + public Instant getCreated() { + return created; + } + + public Instant getModified() { + return modified; + } + + public String getDescription() { + return description; + } + + public List getLabels() { + return labels; + } + + public String getFeedId() { + return feedId; + } }