From 89984cbd647c2dfa7952babdb9900439edf30f0e Mon Sep 17 00:00:00 2001 From: Surya Sashank Nistala Date: Mon, 16 Oct 2023 15:22:36 -0700 Subject: [PATCH] Revert "adds ioc fields list in log type config files and ioc fields object in LogType POJO" This reverts commit 9bb5ecc0ede81d63e6f58534370e465265d77d81. --- src/main/resources/OSMapping/ad_ldap_logtype.json | 3 +-- .../resources/OSMapping/apache_access_logtype.json | 3 +-- src/main/resources/OSMapping/azure_logtype.json | 3 +-- .../resources/OSMapping/cloudtrail_logtype.json | 10 +--------- src/main/resources/OSMapping/dns_logtype.json | 10 +--------- src/main/resources/OSMapping/github_logtype.json | 3 +-- .../resources/OSMapping/gworkspace_logtype.json | 3 +-- src/main/resources/OSMapping/linux_logtype.json | 3 +-- src/main/resources/OSMapping/m365_logtype.json | 3 +-- src/main/resources/OSMapping/netflow_logtype.json | 11 +---------- src/main/resources/OSMapping/network_logtype.json | 11 +---------- src/main/resources/OSMapping/okta_logtype.json | 3 +-- .../OSMapping/others_application_logtype.json | 3 +-- .../resources/OSMapping/others_apt_logtype.json | 3 +-- .../resources/OSMapping/others_cloud_logtype.json | 3 +-- .../OSMapping/others_compliance_logtype.json | 3 +-- .../resources/OSMapping/others_macos_logtype.json | 3 +-- .../resources/OSMapping/others_proxy_logtype.json | 3 +-- .../resources/OSMapping/others_web_logtype.json | 3 +-- src/main/resources/OSMapping/s3_logtype.json | 3 +-- src/main/resources/OSMapping/vpcflow_logtype.json | 11 +---------- src/main/resources/OSMapping/waf_logtype.json | 3 +-- src/main/resources/OSMapping/windows_logtype.json | 8 +------- .../securityanalytics/LogTypeServiceTests.java | 3 +-- .../securityanalytics/model/WriteableTests.java | 8 +++----- .../securityanalytics/writable/LogTypeTests.java | 13 +++---------- 26 files changed, 30 insertions(+), 106 deletions(-) diff --git a/src/main/resources/OSMapping/ad_ldap_logtype.json b/src/main/resources/OSMapping/ad_ldap_logtype.json index be2dd5488..e3434bca5 100644 --- a/src/main/resources/OSMapping/ad_ldap_logtype.json +++ b/src/main/resources/OSMapping/ad_ldap_logtype.json @@ -2,8 +2,7 @@ "name": "ad_ldap", "description": "AD/LDAP", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"TargetUserName", "ecs":"azure.signinlogs.properties.user_id" diff --git a/src/main/resources/OSMapping/apache_access_logtype.json b/src/main/resources/OSMapping/apache_access_logtype.json index 714fa2acb..7753c8440 100644 --- a/src/main/resources/OSMapping/apache_access_logtype.json +++ b/src/main/resources/OSMapping/apache_access_logtype.json @@ -2,6 +2,5 @@ "name": "apache_access", "description": "Apache Access Log type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[] + "mappings": [] } diff --git a/src/main/resources/OSMapping/azure_logtype.json b/src/main/resources/OSMapping/azure_logtype.json index bb55dbe5f..ec9ae0502 100644 --- a/src/main/resources/OSMapping/azure_logtype.json +++ b/src/main/resources/OSMapping/azure_logtype.json @@ -2,8 +2,7 @@ "name": "azure", "description": "Azure Log Type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"Resultdescription", "ecs":"azure.signinlogs.result_description" diff --git a/src/main/resources/OSMapping/cloudtrail_logtype.json b/src/main/resources/OSMapping/cloudtrail_logtype.json index 8c2ea3b3a..389652373 100644 --- a/src/main/resources/OSMapping/cloudtrail_logtype.json +++ b/src/main/resources/OSMapping/cloudtrail_logtype.json @@ -2,15 +2,7 @@ "name": "cloudtrail", "description": "Cloudtrail Log Type", "is_builtin": true, - "ioc_fields": [ - { - "ioc": "ip", - "fields": [ - "src_endpoint.ip" - ] - } - ], - "mappings":[ + "mappings": [ { "raw_field":"eventName", "ecs":"aws.cloudtrail.event_name", diff --git a/src/main/resources/OSMapping/dns_logtype.json b/src/main/resources/OSMapping/dns_logtype.json index ef012407f..ca2f5451a 100644 --- a/src/main/resources/OSMapping/dns_logtype.json +++ b/src/main/resources/OSMapping/dns_logtype.json @@ -2,15 +2,7 @@ "name": "dns", "description": "DNS Log Type", "is_builtin": true, - "ioc_fields": [ - { - "ioc": "ip", - "fields": [ - "src_endpoint.ip" - ] - } - ], - "mappings":[ + "mappings": [ { "raw_field":"record_type", "ecs":"dns.answers.type", diff --git a/src/main/resources/OSMapping/github_logtype.json b/src/main/resources/OSMapping/github_logtype.json index 31ec6ee59..6369e2949 100644 --- a/src/main/resources/OSMapping/github_logtype.json +++ b/src/main/resources/OSMapping/github_logtype.json @@ -2,8 +2,7 @@ "name": "github", "description": "Github Log Type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"action", "ecs":"github.action" diff --git a/src/main/resources/OSMapping/gworkspace_logtype.json b/src/main/resources/OSMapping/gworkspace_logtype.json index 7c5766895..b0006b6a3 100644 --- a/src/main/resources/OSMapping/gworkspace_logtype.json +++ b/src/main/resources/OSMapping/gworkspace_logtype.json @@ -2,8 +2,7 @@ "name": "gworkspace", "description": "GWorkspace Log Type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"eventSource", "ecs":"google_workspace.admin.service.name" diff --git a/src/main/resources/OSMapping/linux_logtype.json b/src/main/resources/OSMapping/linux_logtype.json index 5b77de6b3..f719913c0 100644 --- a/src/main/resources/OSMapping/linux_logtype.json +++ b/src/main/resources/OSMapping/linux_logtype.json @@ -2,8 +2,7 @@ "name": "linux", "description": "Linux Log Type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"name", "ecs":"user.filesystem.name" diff --git a/src/main/resources/OSMapping/m365_logtype.json b/src/main/resources/OSMapping/m365_logtype.json index e19c2418e..6547d3d63 100644 --- a/src/main/resources/OSMapping/m365_logtype.json +++ b/src/main/resources/OSMapping/m365_logtype.json @@ -2,8 +2,7 @@ "name": "m365", "description": "Microsoft 365 Log Type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"eventSource", "ecs":"rsa.misc.event_source" diff --git a/src/main/resources/OSMapping/netflow_logtype.json b/src/main/resources/OSMapping/netflow_logtype.json index 9dc015198..d8ec32632 100644 --- a/src/main/resources/OSMapping/netflow_logtype.json +++ b/src/main/resources/OSMapping/netflow_logtype.json @@ -2,16 +2,7 @@ "name": "netflow", "description": "Netflow Log Type used only in Integration Tests", "is_builtin": true, - "ioc_fields": [ - { - "ioc": "ip", - "fields": [ - "destination.ip", - "source.ip" - ] - } - ], - "mappings":[ + "mappings": [ { "raw_field":"netflow.source_ipv4_address", "ecs":"source.ip" diff --git a/src/main/resources/OSMapping/network_logtype.json b/src/main/resources/OSMapping/network_logtype.json index 2ca92a1ad..90f0b2ee6 100644 --- a/src/main/resources/OSMapping/network_logtype.json +++ b/src/main/resources/OSMapping/network_logtype.json @@ -2,16 +2,7 @@ "name": "network", "description": "Network Log Type", "is_builtin": true, - "ioc_fields": [ - { - "ioc": "ip", - "fields": [ - "destination.ip", - "source.ip" - ] - } - ], - "mappings":[ + "mappings": [ { "raw_field":"action", "ecs":"netflow.firewall_event" diff --git a/src/main/resources/OSMapping/okta_logtype.json b/src/main/resources/OSMapping/okta_logtype.json index e73a0c273..8038b7f01 100644 --- a/src/main/resources/OSMapping/okta_logtype.json +++ b/src/main/resources/OSMapping/okta_logtype.json @@ -2,8 +2,7 @@ "name": "okta", "description": "Okta Log Type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"eventtype", "ecs":"okta.event_type" diff --git a/src/main/resources/OSMapping/others_application_logtype.json b/src/main/resources/OSMapping/others_application_logtype.json index 4008602d4..d7faf8c94 100644 --- a/src/main/resources/OSMapping/others_application_logtype.json +++ b/src/main/resources/OSMapping/others_application_logtype.json @@ -2,8 +2,7 @@ "name": "others_application", "description": "others_application", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"record_type", "ecs":"dns.answers.type" diff --git a/src/main/resources/OSMapping/others_apt_logtype.json b/src/main/resources/OSMapping/others_apt_logtype.json index 1a4ca711f..ace55cbc3 100644 --- a/src/main/resources/OSMapping/others_apt_logtype.json +++ b/src/main/resources/OSMapping/others_apt_logtype.json @@ -2,8 +2,7 @@ "name": "others_apt", "description": "others_apt", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"record_type", "ecs":"dns.answers.type" diff --git a/src/main/resources/OSMapping/others_cloud_logtype.json b/src/main/resources/OSMapping/others_cloud_logtype.json index 64cbc7935..b5da3e005 100644 --- a/src/main/resources/OSMapping/others_cloud_logtype.json +++ b/src/main/resources/OSMapping/others_cloud_logtype.json @@ -2,8 +2,7 @@ "name": "others_cloud", "description": "others_cloud", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"record_type", "ecs":"dns.answers.type" diff --git a/src/main/resources/OSMapping/others_compliance_logtype.json b/src/main/resources/OSMapping/others_compliance_logtype.json index 6e065795a..6f362d589 100644 --- a/src/main/resources/OSMapping/others_compliance_logtype.json +++ b/src/main/resources/OSMapping/others_compliance_logtype.json @@ -2,8 +2,7 @@ "name": "others_compliance", "description": "others_compliance", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"record_type", "ecs":"dns.answers.type" diff --git a/src/main/resources/OSMapping/others_macos_logtype.json b/src/main/resources/OSMapping/others_macos_logtype.json index 6b6452100..50d1c2160 100644 --- a/src/main/resources/OSMapping/others_macos_logtype.json +++ b/src/main/resources/OSMapping/others_macos_logtype.json @@ -2,8 +2,7 @@ "name": "others_macos", "description": "others_macos", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"record_type", "ecs":"dns.answers.type" diff --git a/src/main/resources/OSMapping/others_proxy_logtype.json b/src/main/resources/OSMapping/others_proxy_logtype.json index a2b0794a4..aca4529d1 100644 --- a/src/main/resources/OSMapping/others_proxy_logtype.json +++ b/src/main/resources/OSMapping/others_proxy_logtype.json @@ -2,8 +2,7 @@ "name": "others_proxy", "description": "others_proxy", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"record_type", "ecs":"dns.answers.type" diff --git a/src/main/resources/OSMapping/others_web_logtype.json b/src/main/resources/OSMapping/others_web_logtype.json index b46adc6a4..ae8262d52 100644 --- a/src/main/resources/OSMapping/others_web_logtype.json +++ b/src/main/resources/OSMapping/others_web_logtype.json @@ -2,8 +2,7 @@ "name": "others_web", "description": "others_web", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"record_type", "ecs":"dns.answers.type" diff --git a/src/main/resources/OSMapping/s3_logtype.json b/src/main/resources/OSMapping/s3_logtype.json index 20c896df6..58c546258 100644 --- a/src/main/resources/OSMapping/s3_logtype.json +++ b/src/main/resources/OSMapping/s3_logtype.json @@ -2,8 +2,7 @@ "name": "s3", "description": "S3 Log Type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"eventName", "ecs":"aws.cloudtrail.event_name" diff --git a/src/main/resources/OSMapping/vpcflow_logtype.json b/src/main/resources/OSMapping/vpcflow_logtype.json index 29d9f38c2..c55305b6d 100644 --- a/src/main/resources/OSMapping/vpcflow_logtype.json +++ b/src/main/resources/OSMapping/vpcflow_logtype.json @@ -2,16 +2,7 @@ "name": "vpcflow", "description": "VPC Flow Log Type", "is_builtin": true, - "ioc_fields": [ - { - "ioc": "ip", - "fields": [ - "dst_endpoint.ip", - "src_endpoint.ip" - ] - } - ], - "mappings":[ + "mappings": [ { "raw_field":"version", "ecs":"netflow.version", diff --git a/src/main/resources/OSMapping/waf_logtype.json b/src/main/resources/OSMapping/waf_logtype.json index 3e5b1f4f1..5eed2c2fb 100644 --- a/src/main/resources/OSMapping/waf_logtype.json +++ b/src/main/resources/OSMapping/waf_logtype.json @@ -2,8 +2,7 @@ "name": "waf", "description": "Web Application Firewall Log Type", "is_builtin": true, - "ioc_fields" : [], - "mappings":[ + "mappings": [ { "raw_field":"cs-method", "ecs":"waf.request.method" diff --git a/src/main/resources/OSMapping/windows_logtype.json b/src/main/resources/OSMapping/windows_logtype.json index ec9b3ed1a..a5fef8ea7 100644 --- a/src/main/resources/OSMapping/windows_logtype.json +++ b/src/main/resources/OSMapping/windows_logtype.json @@ -2,13 +2,7 @@ "name": "windows", "description": "Windows Log Type", "is_builtin": true, - "ioc_fields" : [ - { - "ioc": "ip", - "fields": ["destination.ip","source.ip"] - } - ], - "mappings": [ + "mappings":[ { "raw_field":"AccountName", "ecs":"winlog.computerObject.name" diff --git a/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java b/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java index 64288f669..8eb717e60 100644 --- a/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java +++ b/src/test/java/org/opensearch/securityanalytics/LogTypeServiceTests.java @@ -50,8 +50,7 @@ protected void beforeTest() throws Exception { new LogType.Mapping("rawFld1", "ecsFld1", "ocsfFld1"), new LogType.Mapping("rawFld2", "ecsFld2", "ocsfFld2"), new LogType.Mapping("rawFld3", "ecsFld3", "ocsfFld3") - ), - List.of(new LogType.IocFields("ip", List.of("dst.ip"))) + ) ) ); when(builtinLogTypeLoader.getAllLogTypes()).thenReturn(dummyLogTypes); diff --git a/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java b/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java index 7c16e5f6f..e82911c1b 100644 --- a/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java +++ b/src/test/java/org/opensearch/securityanalytics/model/WriteableTests.java @@ -50,8 +50,7 @@ public void testEmptyUserAsStream() throws IOException { public void testLogTypeAsStreamRawFieldOnly() throws IOException { LogType logType = new LogType( "1", "my_log_type", "description", false, - List.of(new LogType.Mapping("rawField", null, null)), - List.of(new LogType.IocFields("ip", List.of("dst.ip"))) + List.of(new LogType.Mapping("rawField", null, null)) ); BytesStreamOutput out = new BytesStreamOutput(); logType.writeTo(out); @@ -67,8 +66,7 @@ public void testLogTypeAsStreamRawFieldOnly() throws IOException { public void testLogTypeAsStreamFull() throws IOException { LogType logType = new LogType( "1", "my_log_type", "description", false, - List.of(new LogType.Mapping("rawField", "some_ecs_field", "some_ocsf_field")), - List.of(new LogType.IocFields("ip", List.of("dst.ip"))) + List.of(new LogType.Mapping("rawField", "some_ecs_field", "some_ocsf_field")) ); BytesStreamOutput out = new BytesStreamOutput(); logType.writeTo(out); @@ -82,7 +80,7 @@ public void testLogTypeAsStreamFull() throws IOException { } public void testLogTypeAsStreamNoMappings() throws IOException { - LogType logType = new LogType("1", "my_log_type", "description", false, null, null); + LogType logType = new LogType("1", "my_log_type", "description", false, null); BytesStreamOutput out = new BytesStreamOutput(); logType.writeTo(out); StreamInput sin = StreamInput.wrap(out.bytes().toBytesRef().bytes); diff --git a/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java b/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java index d9d592641..4ede7891b 100644 --- a/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java +++ b/src/test/java/org/opensearch/securityanalytics/writable/LogTypeTests.java @@ -21,8 +21,7 @@ public class LogTypeTests { public void testLogTypeAsStreamRawFieldOnly() throws IOException { LogType logType = new LogType( "1", "my_log_type", "description", false, - List.of(new LogType.Mapping("rawField", null, null)), - List.of(new LogType.IocFields("ip", List.of("dst.ip"))) + List.of(new LogType.Mapping("rawField", null, null)) ); BytesStreamOutput out = new BytesStreamOutput(); logType.writeTo(out); @@ -33,16 +32,13 @@ public void testLogTypeAsStreamRawFieldOnly() throws IOException { assertEquals(logType.getIsBuiltIn(), newLogType.getIsBuiltIn()); assertEquals(logType.getMappings().size(), newLogType.getMappings().size()); assertEquals(logType.getMappings().get(0).getRawField(), newLogType.getMappings().get(0).getRawField()); - assertEquals(logType.getIocFieldsList().get(0).getFields().get(0), newLogType.getIocFieldsList().get(0).getFields().get(0)); - assertEquals(logType.getIocFieldsList().get(0).getIoc(), newLogType.getIocFieldsList().get(0).getIoc()); } @Test public void testLogTypeAsStreamFull() throws IOException { LogType logType = new LogType( "1", "my_log_type", "description", false, - List.of(new LogType.Mapping("rawField", "some_ecs_field", "some_ocsf_field")), - List.of(new LogType.IocFields("ip", List.of("dst.ip"))) + List.of(new LogType.Mapping("rawField", "some_ecs_field", "some_ocsf_field")) ); BytesStreamOutput out = new BytesStreamOutput(); logType.writeTo(out); @@ -53,14 +49,11 @@ public void testLogTypeAsStreamFull() throws IOException { assertEquals(logType.getIsBuiltIn(), newLogType.getIsBuiltIn()); assertEquals(logType.getMappings().size(), newLogType.getMappings().size()); assertEquals(logType.getMappings().get(0).getRawField(), newLogType.getMappings().get(0).getRawField()); - assertEquals(logType.getIocFieldsList().get(0).getFields().get(0), newLogType.getIocFieldsList().get(0).getFields().get(0)); - assertEquals(logType.getIocFieldsList().get(0).getIoc(), newLogType.getIocFieldsList().get(0).getIoc()); - } @Test public void testLogTypeAsStreamNoMappings() throws IOException { - LogType logType = new LogType("1", "my_log_type", "description", false, null, null); + LogType logType = new LogType("1", "my_log_type", "description", false, null); BytesStreamOutput out = new BytesStreamOutput(); logType.writeTo(out); StreamInput sin = StreamInput.wrap(out.bytes().toBytesRef().bytes);