Implemented ListIOCs API. (opensearch-project#1064)

* Removed unused imports. Removed redundant helper function. Signed-off-by: AWSHurneyt <[email protected]> * Added note about system index refactoring. Signed-off-by: AWSHurneyt <[email protected]> * Implemented draft of IocService. Signed-off-by: AWSHurneyt <[email protected]> * Made changes based on PR feedback. Signed-off-by: AWSHurneyt <[email protected]> * Fixed test helper function. Signed-off-by: AWSHurneyt <[email protected]> * Removed unused imports. Signed-off-by: AWSHurneyt <[email protected]> * Adjusted mappings based on PR feedback. Signed-off-by: AWSHurneyt <[email protected]> * Continuation of fetch IOC service implementation. Signed-off-by: AWSHurneyt <[email protected]> * Implemented ListtIOCs API. Signed-off-by: AWSHurneyt <[email protected]> * Removed "enabled" field from ListIOCs API as that will not be configured at the IOC level. Signed-off-by: AWSHurneyt <[email protected]> * Renamed response keys. Signed-off-by: AWSHurneyt <[email protected]> * Removed "enabled" field mapping as that will not be configured at the IOC level. Signed-off-by: AWSHurneyt <[email protected]> * Added feedId as a filter for LiistIOCs API. Added handling for IndexNotFoundException when calling ListIOCs API. Signed-off-by: AWSHurneyt <[email protected]> * Implemented ListtIOCs API. Signed-off-by: AWSHurneyt <[email protected]> * Removed "enabled" field from ListIOCs API as that will not be configured at the IOC level. Signed-off-by: AWSHurneyt <[email protected]> * Renamed response keys. Signed-off-by: AWSHurneyt <[email protected]> * Removed unused test suite. Signed-off-by: AWSHurneyt <[email protected]> * Added feedId as a filter for LiistIOCs API. Added handling for IndexNotFoundException when calling ListIOCs API. Signed-off-by: AWSHurneyt <[email protected]> * Added feedId as a filter for ListIOCs API. Signed-off-by: AWSHurneyt <[email protected]> * Fixed merge conflict. Signed-off-by: AWSHurneyt <[email protected]> * Removed unused test suite. Signed-off-by: AWSHurneyt <[email protected]> * Fixed test case. Signed-off-by: AWSHurneyt <[email protected]> * Fixed test index mappings. Signed-off-by: AWSHurneyt <[email protected]> --------- Signed-off-by: AWSHurneyt <[email protected]>
AWSHurneyt · Jun 25, 2024 · d2f405b · d2f405b
1 parent 4908e29
commit d2f405b
Show file tree

Hide file tree

Showing 11 changed files with 652 additions and 224 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java
@@ -67,6 +67,7 @@
 import org.opensearch.securityanalytics.action.IndexDetectorAction;
 import org.opensearch.securityanalytics.action.IndexRuleAction;
 import org.opensearch.securityanalytics.action.ListCorrelationsAction;
+import org.opensearch.securityanalytics.action.ListIOCsAction;
 import org.opensearch.securityanalytics.action.SearchCorrelationRuleAction;
 import org.opensearch.securityanalytics.action.SearchCustomLogTypeAction;
 import org.opensearch.securityanalytics.action.SearchDetectorAction;
@@ -104,6 +105,7 @@
 import org.opensearch.securityanalytics.resthandler.RestIndexDetectorAction;
 import org.opensearch.securityanalytics.resthandler.RestIndexRuleAction;
 import org.opensearch.securityanalytics.resthandler.RestListCorrelationAction;
+import org.opensearch.securityanalytics.resthandler.RestListIOCsAction;
 import org.opensearch.securityanalytics.resthandler.RestSearchCorrelationAction;
 import org.opensearch.securityanalytics.resthandler.RestSearchCorrelationRuleAction;
 import org.opensearch.securityanalytics.resthandler.RestSearchCustomLogTypeAction;
@@ -167,6 +169,7 @@
 import org.opensearch.securityanalytics.transport.TransportIndexDetectorAction;
 import org.opensearch.securityanalytics.transport.TransportIndexRuleAction;
 import org.opensearch.securityanalytics.transport.TransportListCorrelationAction;
+import org.opensearch.securityanalytics.transport.TransportListIOCsAction;
 import org.opensearch.securityanalytics.transport.TransportSearchCorrelationAction;
 import org.opensearch.securityanalytics.transport.TransportSearchCorrelationRuleAction;
 import org.opensearch.securityanalytics.transport.TransportSearchCustomLogTypeAction;
@@ -212,6 +215,7 @@ public class SecurityAnalyticsPlugin extends Plugin implements ActionPlugin, Map
     public static final String THREAT_INTEL_BASE_URI = PLUGINS_BASE_URI + "/threat_intel";
     public static final String THREAT_INTEL_SOURCE_URI = PLUGINS_BASE_URI + "/threat_intel/source";
     public static final String THREAT_INTEL_MONITOR_URI = PLUGINS_BASE_URI + "/threat_intel/monitor";
+    public static final String LIST_IOCS_URI = PLUGINS_BASE_URI + "/iocs/list";
 
     public static final String CUSTOM_LOG_TYPE_URI = PLUGINS_BASE_URI + "/logtype";
     public static final String JOB_INDEX_NAME = ".opensearch-sap--job";
@@ -336,7 +340,8 @@ public List<RestHandler> getRestHandlers(Settings settings,
                 new RestSearchTIFSourceConfigsAction(),
                 new RestIndexThreatIntelMonitorAction(),
                 new RestDeleteThreatIntelMonitorAction(),
-                new RestSearchThreatIntelMonitorAction()
+                new RestSearchThreatIntelMonitorAction(),
+                new RestListIOCsAction()
         );
     }
 
@@ -479,7 +484,8 @@ public List<Setting<?>> getSettings() {
                 new ActionHandler<>(SAGetTIFSourceConfigAction.INSTANCE, TransportGetTIFSourceConfigAction.class),
                 new ActionHandler<>(SADeleteTIFSourceConfigAction.INSTANCE, TransportDeleteTIFSourceConfigAction.class),
                 new ActionHandler<>(SASearchTIFSourceConfigsAction.INSTANCE, TransportSearchTIFSourceConfigsAction.class),
-                new ActionHandler<>(SampleRemoteDocLevelMonitorRunner.REMOTE_DOC_LEVEL_MONITOR_ACTION_INSTANCE, TransportRemoteDocLevelMonitorFanOutAction.class)
+                new ActionHandler<>(SampleRemoteDocLevelMonitorRunner.REMOTE_DOC_LEVEL_MONITOR_ACTION_INSTANCE, TransportRemoteDocLevelMonitorFanOutAction.class),
+                new ActionHandler<>(ListIOCsAction.INSTANCE, TransportListIOCsAction.class)
         );
     }
 

diff --git a/src/main/java/org/opensearch/securityanalytics/action/ListIOCsAction.java b/src/main/java/org/opensearch/securityanalytics/action/ListIOCsAction.java
@@ -0,0 +1,17 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.securityanalytics.action;
+
+import org.opensearch.action.ActionType;
+
+public class ListIOCsAction extends ActionType<ListIOCsActionResponse> {
+    public static final ListIOCsAction INSTANCE = new ListIOCsAction();
+    public static final String NAME = "cluster:admin/opensearch/securityanalytics/iocs/list";
+
+    public ListIOCsAction() {
+        super(NAME, ListIOCsActionResponse::new);
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/action/ListIOCsActionRequest.java b/src/main/java/org/opensearch/securityanalytics/action/ListIOCsActionRequest.java
@@ -0,0 +1,121 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.securityanalytics.action;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.action.ValidateActions;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.securityanalytics.commons.model.IOCType;
+
+import java.io.IOException;
+import java.util.Locale;
+
+public class ListIOCsActionRequest extends ActionRequest {
+    public static String START_INDEX_FIELD = "start";
+    public static String SIZE_FIELD = "size";
+    public static String SORT_ORDER_FIELD = "sort_order";
+    public static String SORT_STRING_FIELD = "sort_string";
+    public static String SEARCH_FIELD = "search";
+    public static String TYPE_FIELD = "type";
+    public static String ALL_TYPES_FILTER = "ALL";
+
+    private int startIndex;
+    private int size;
+    private SortOrder sortOrder;
+    private String sortString;
+
+    private String search;
+    private String type;
+    private String feedId;
+
+    public ListIOCsActionRequest(int startIndex, int size, String sortOrder, String sortString, String search, String type, String feedId) {
+        super();
+        this.startIndex = startIndex;
+        this.size = size;
+        this.sortOrder = SortOrder.valueOf(sortOrder.toLowerCase(Locale.ROOT));
+        this.sortString = sortString;
+        this.search = search;
+        this.type = type.toLowerCase(Locale.ROOT);
+        this.feedId = feedId;
+    }
+
+    public ListIOCsActionRequest(StreamInput sin) throws IOException {
+        this(
+                sin.readInt(), // startIndex
+                sin.readInt(), // size
+                sin.readString(), // sortOrder
+                sin.readString(), // sortString
+                sin.readOptionalString(), // search
+                sin.readOptionalString(), // type
+                sin.readOptionalString() //feedId
+        );
+    }
+
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeInt(startIndex);
+        out.writeInt(size);
+        out.writeEnum(sortOrder);
+        out.writeString(sortString);
+        out.writeOptionalString(search);
+        out.writeOptionalString(type);
+        out.writeOptionalString(feedId);
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (startIndex < 0) {
+            validationException = ValidateActions
+                    .addValidationError(String.format("[%s] param cannot be a negative number.", START_INDEX_FIELD), validationException);
+        } else if (size < 0 || size > 10000) {
+            validationException = ValidateActions
+                    .addValidationError(String.format("[%s] param must be between 0 and 10,000.", SIZE_FIELD), validationException);
+        } else if (!ALL_TYPES_FILTER.equalsIgnoreCase(type)) {
+            try {
+                IOCType.valueOf(type);
+            } catch (Exception e) {
+                validationException = ValidateActions
+                        .addValidationError(String.format("Unrecognized [%s] param.", TYPE_FIELD), validationException);
+            }
+        }
+        return validationException;
+    }
+
+    public int getStartIndex() {
+        return startIndex;
+    }
+
+    public int getSize() {
+        return size;
+    }
+
+    public SortOrder getSortOrder() {
+        return sortOrder;
+    }
+
+    public String getSortString() {
+        return sortString;
+    }
+
+    public String getSearch() {
+        return search;
+    }
+
+    public String getType() {
+        return type;
+    }
+
+    public String getFeedId() {
+        return feedId;
+    }
+
+    public enum SortOrder {
+        asc,
+        dsc
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/action/ListIOCsActionResponse.java b/src/main/java/org/opensearch/securityanalytics/action/ListIOCsActionResponse.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.securityanalytics.action;
+
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.securityanalytics.model.STIX2IOCDto;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+public class ListIOCsActionResponse extends ActionResponse implements ToXContentObject {
+    public static String TOTAL_HITS_FIELD = "total";
+    public static String HITS_FIELD = "iocs";
+
+    public static ListIOCsActionResponse EMPTY_RESPONSE = new ListIOCsActionResponse(0, Collections.emptyList());
+
+    private long totalHits;
+    private List<STIX2IOCDto> hits;
+
+    public ListIOCsActionResponse(long totalHits, List<STIX2IOCDto> hits) {
+        super();
+        this.totalHits = totalHits;
+        this.hits = hits;
+    }
+
+    public ListIOCsActionResponse(StreamInput sin) throws IOException {
+        this(sin.readInt(), sin.readList(STIX2IOCDto::new));
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeLong(totalHits);
+        out.writeList(hits);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        return builder.startObject()
+                .field(TOTAL_HITS_FIELD, totalHits)
+                .field(HITS_FIELD, hits)
+                .endObject();
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/model/STIX2IOC.java b/src/main/java/org/opensearch/securityanalytics/model/STIX2IOC.java
@@ -19,8 +19,8 @@
 
 import java.io.IOException;
 import java.time.Instant;
+import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 
@@ -161,7 +161,7 @@ public static STIX2IOC parse(XContentParser xcp, String id, Long version) throws
         Instant created = null;
         Instant modified = null;
         String description = null;
-        List<String> labels = Collections.emptyList();
+        List<String> labels = new ArrayList<>();
         String feedId = null;
         String specVersion = null;
 
@@ -190,7 +190,7 @@ public static STIX2IOC parse(XContentParser xcp, String id, Long version) throws
                     if (xcp.currentToken() == XContentParser.Token.VALUE_NULL) {
                         created = null;
                     } else if (xcp.currentToken().isValue()) {
-                        created = Instant.ofEpochMilli(xcp.longValue());
+                        created = Instant.parse(xcp.text());
                     } else {
                         XContentParserUtils.throwUnknownToken(xcp.currentToken(), xcp.getTokenLocation());
                         created = null;
@@ -200,7 +200,7 @@ public static STIX2IOC parse(XContentParser xcp, String id, Long version) throws
                     if (xcp.currentToken() == XContentParser.Token.VALUE_NULL) {
                         modified = null;
                     } else if (xcp.currentToken().isValue()) {
-                        modified = Instant.ofEpochMilli(xcp.longValue());
+                        modified = Instant.parse(xcp.text());
                     } else {
                         XContentParserUtils.throwUnknownToken(xcp.currentToken(), xcp.getTokenLocation());
                         modified = null;

diff --git a/src/main/java/org/opensearch/securityanalytics/model/STIX2IOCDto.java b/src/main/java/org/opensearch/securityanalytics/model/STIX2IOCDto.java
@@ -19,7 +19,7 @@
 
 import java.io.IOException;
 import java.time.Instant;
-import java.util.Collections;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
 
@@ -42,7 +42,7 @@ public class STIX2IOCDto implements Writeable, ToXContentObject {
     private String specVersion;
     private long version;
 
-    // No arguments contructor needed for parsing from S3
+    // No arguments constructor needed for parsing from S3
     public STIX2IOCDto() {}
 
     public STIX2IOCDto(
@@ -148,7 +148,7 @@ public static STIX2IOCDto parse(XContentParser xcp, String id, Long version) thr
         Instant created = null;
         Instant modified = null;
         String description = null;
-        List<String> labels = Collections.emptyList();
+        List<String> labels = new ArrayList<>();
         String feedId = null;
         String specVersion = null;
 
@@ -162,7 +162,7 @@ public static STIX2IOCDto parse(XContentParser xcp, String id, Long version) thr
                     name = xcp.text();
                     break;
                 case STIX2.TYPE_FIELD:
-                    type = IOCType.valueOf(xcp.text().toUpperCase(Locale.ROOT));
+                    type = IOCType.valueOf(xcp.text().toLowerCase(Locale.ROOT));
                     break;
                 case STIX2.VALUE_FIELD:
                     value = xcp.text();
@@ -174,7 +174,7 @@ public static STIX2IOCDto parse(XContentParser xcp, String id, Long version) thr
                     if (xcp.currentToken() == XContentParser.Token.VALUE_NULL) {
                         created = null;
                     } else if (xcp.currentToken().isValue()) {
-                        created = Instant.ofEpochMilli(xcp.longValue());
+                        created = Instant.parse(xcp.text());
                     } else {
                         XContentParserUtils.throwUnknownToken(xcp.currentToken(), xcp.getTokenLocation());
                         created = null;
@@ -184,7 +184,7 @@ public static STIX2IOCDto parse(XContentParser xcp, String id, Long version) thr
                     if (xcp.currentToken() == XContentParser.Token.VALUE_NULL) {
                         modified = null;
                     } else if (xcp.currentToken().isValue()) {
-                        modified = Instant.ofEpochMilli(xcp.longValue());
+                        modified = Instant.parse(xcp.text());
                     } else {
                         XContentParserUtils.throwUnknownToken(xcp.currentToken(), xcp.getTokenLocation());
                         modified = null;

diff --git a/src/main/java/org/opensearch/securityanalytics/resthandler/RestListIOCsAction.java b/src/main/java/org/opensearch/securityanalytics/resthandler/RestListIOCsAction.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.securityanalytics.resthandler;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.client.node.NodeClient;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.rest.BaseRestHandler;
+import org.opensearch.rest.BytesRestResponse;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.RestResponse;
+import org.opensearch.rest.action.RestResponseListener;
+import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
+import org.opensearch.securityanalytics.action.ListIOCsAction;
+import org.opensearch.securityanalytics.action.ListIOCsActionRequest;
+import org.opensearch.securityanalytics.action.ListIOCsActionResponse;
+import org.opensearch.securityanalytics.commons.model.STIX2;
+import org.opensearch.securityanalytics.model.STIX2IOC;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Locale;
+
+public class RestListIOCsAction extends BaseRestHandler {
+    private static final Logger log = LogManager.getLogger(RestListIOCsAction.class);
+
+    public String getName() {
+        return "list_iocs_action";
+    }
+
+    public List<Route> routes() {
+        return List.of(
+                new Route(RestRequest.Method.GET, SecurityAnalyticsPlugin.LIST_IOCS_URI)
+        );
+    }
+
+    @Override
+    protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
+        log.debug(String.format(Locale.ROOT, "%s %s", request.method(), SecurityAnalyticsPlugin.LIST_IOCS_URI));
+
+        int startIndex = request.paramAsInt(ListIOCsActionRequest.START_INDEX_FIELD, 0);
+        int size = request.paramAsInt(ListIOCsActionRequest.SIZE_FIELD, 10);
+        String sortOrder = request.param(ListIOCsActionRequest.SORT_ORDER_FIELD, ListIOCsActionRequest.SortOrder.asc.toString());
+        String sortString = request.param(ListIOCsActionRequest.SORT_STRING_FIELD, STIX2.NAME_FIELD);
+        String search = request.param(ListIOCsActionRequest.SEARCH_FIELD, "");
+        String type = request.param(ListIOCsActionRequest.TYPE_FIELD, ListIOCsActionRequest.ALL_TYPES_FILTER);
+        String feedId = request.param(STIX2IOC.FEED_ID_FIELD, "");
+
+        ListIOCsActionRequest listRequest = new ListIOCsActionRequest(startIndex, size, sortOrder, sortString, search, type, feedId);
+
+        return channel -> client.execute(ListIOCsAction.INSTANCE, listRequest, new RestResponseListener<>(channel) {
+            @Override
+            public RestResponse buildResponse(ListIOCsActionResponse response) throws Exception {
+                return new BytesRestResponse(RestStatus.OK, response.toXContent(channel.newBuilder(), ToXContent.EMPTY_PARAMS));
+            }
+        });
+    }
+}