Skip to content

Commit

Permalink
Integrate threat intel feeds (#669) (#691)
Browse files Browse the repository at this point in the history
* add mapping for indices storing threat intel feed data



* fix feed indices mapping



* add threat intel feed data dao



* add threatIntelEnabled field in detector.



* add threat intel feed service and searching feeds



* ti feed data to doc level query convertor logic added



* plug threat intel feed into detector creation



* Preliminary framework for jobscheduler and datasource (#626)



* create doc level query from threat intel feed data index docs"



* handle threat intel enabled check during detector updation



* add tests for testing threat intel feed integration with detectors



* Threat intel feeds job runner and unit tests (#654)

* fix doc level query constructor (#651)



* add mapping for indices storing threat intel feed data

* fix feed indices mapping

* add threat intel feed data dao



* add threatIntelEnabled field in detector.



* add threat intel feed service and searching feeds



* ti feed data to doc level query convertor logic added

* plug threat intel feed into detector creation



* Preliminary framework for jobscheduler and datasource (#626)



* with listener and processor



* removed actions



* clean up



* added parser



* add unit tests



* refactored class names



* before moving db



* after moving db



* added actions to plugin and removed user schedule



* unit tests



* fix build error



* changed transport naming



---------





* converge job scheduler code with threat intel feed integration in detectors



* converge job scheduler and detector threat intel code



* add feed metadata config files in src and test



* adds ioc fields list in log type config files and ioc fields object in LogType POJO



* fix compilation issues in tests



* test udpate detector disabling threat intel



* add tests for detector creation and updation with threat intel



* Threat intel test (#673)

* add mapping for indices storing threat intel feed data

* fix feed indices mapping

* add threat intel feed data dao



* add threatIntelEnabled field in detector.



* add threat intel feed service and searching feeds



* ti feed data to doc level query convertor logic added

* plug threat intel feed into detector creation



* Preliminary framework for jobscheduler and datasource (#626)



* create doc level query from threat intel feed data index docs"



* handle threat intel enabled check during detector updation

* add tests for testing threat intel feed integration with detectors



* Threat intel feeds job runner and unit tests (#654)

* fix doc level query constructor (#651)



* add mapping for indices storing threat intel feed data

* fix feed indices mapping

* add threat intel feed data dao



* add threatIntelEnabled field in detector.



* add threat intel feed service and searching feeds



* ti feed data to doc level query convertor logic added

* plug threat intel feed into detector creation



* Preliminary framework for jobscheduler and datasource (#626)



* with listener and processor



* removed actions



* clean up



* added parser



* add unit tests



* refactored class names



* before moving db



* after moving db



* added actions to plugin and removed user schedule



* unit tests



* fix build error



* changed transport naming



---------





* converge job scheduler code with threat intel feed integration in detectors



* refactored out unecessary



* added headers and cleaned up



* converge job scheduler and detector threat intel code



* working on testing



* fixed the parser and build.gradle



* add mapping for indices storing threat intel feed data

* fix feed indices mapping

* add threat intel feed data dao



* add threatIntelEnabled field in detector.



* add threat intel feed service and searching feeds



* ti feed data to doc level query convertor logic added

* plug threat intel feed into detector creation



* Preliminary framework for jobscheduler and datasource (#626)



* create doc level query from threat intel feed data index docs"



* handle threat intel enabled check during detector updation

* add tests for testing threat intel feed integration with detectors



* Threat intel feeds job runner and unit tests (#654)

* fix doc level query constructor (#651)



* add mapping for indices storing threat intel feed data

* fix feed indices mapping

* add threat intel feed data dao



* add threatIntelEnabled field in detector.



* add threat intel feed service and searching feeds



* ti feed data to doc level query convertor logic added

* plug threat intel feed into detector creation



* Preliminary framework for jobscheduler and datasource (#626)



* with listener and processor



* removed actions



* clean up



* added parser



* add unit tests



* refactored class names



* before moving db



* after moving db



* added actions to plugin and removed user schedule



* unit tests



* fix build error



* changed transport naming



---------





* converge job scheduler code with threat intel feed integration in detectors



* converge job scheduler and detector threat intel code



* add feed metadata config files in src and test



* clean up some tests



* fixed merge conflicts



* adds ioc fields list in log type config files and ioc fields object in LogType POJO

* update csv parser and new metadata field



* fixed job scheduler interval settings



* add tests for ioc to fields for each log type



* removed wildcards



---------







* fix threat intel integ tests and add update detector logic



* JS for Threat intel feeds - changed extension (#675)

* merge conflicts



* fixed java wildcards and changed update key name



* integ test failing



* fix job scheduler params



* changed extension and has debug messages



* clean up



* fixed job scheduler plugin spi jar resolution

* cleaned up TODOs and changed job scheduler name



---------




* TIF Job Runner Cleanup (#676)

* merge conflicts



* fixed java wildcards and changed update key name



* integ test failing



* fix job scheduler params



* changed extension and has debug messages



* clean up



* fixed job scheduler plugin spi jar resolution

* cleaned up TODOs and changed job scheduler name



* removed google commons unused import, updated interval setting, removed rest action



* removed policy file and updated name for job scheduler



* responded to comments about parameter validator and TIFMetadata



* refactored ThreatIntelFeedDataService and changed variables to public static final where possible



* changed opensearch-sap-threatintel to opensearch-sap-threat-intel



---------





* fix TIFJobParameter class



* test detector updation when feed updation job runs



* removed delete job scheduler code and cleaned up (#678)



* working integ test (#680)



* fix timeout of tif job creation



* remove unncessary thread forking in put tif job action



* refactoring code to address review comments



* detector trigger detection types


* pull out threat intel rest tests into separate test class



* add detection types testing in detector trigger for rules and threat intel detection scenarios



* add license header



* add threat intel field aliases in mapping view response



* fix threat intel feed parser



* fix workflow failing test



* spotless check failures fixed



* remove dockerfile (#689)



---------

Signed-off-by: Surya Sashank Nistala <[email protected]>
Signed-off-by: Joanne Wang <[email protected]>
Signed-off-by: Joanne Wang <[email protected]>
Co-authored-by: Surya Sashank Nistala <[email protected]>
  • Loading branch information
jowg-amazon and eirsep authored Oct 26, 2023
1 parent ef92b4f commit eccf388
Show file tree
Hide file tree
Showing 97 changed files with 6,042 additions and 409 deletions.
32 changes: 20 additions & 12 deletions build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ opensearchplugin {
name 'opensearch-security-analytics'
description 'OpenSearch Security Analytics plugin'
classname 'org.opensearch.securityanalytics.SecurityAnalyticsPlugin'
extendedPlugins = ['opensearch-job-scheduler']
}

javaRestTest {
Expand Down Expand Up @@ -145,12 +146,6 @@ configurations.all {
sourceSets.main.java.srcDirs = ['src/main/generated','src/main/java']
configurations {
zipArchive

all {
resolutionStrategy {
force "com.google.guava:guava:32.0.1-jre"
}
}
}

dependencies {
Expand All @@ -161,17 +156,14 @@ dependencies {
api "org.opensearch:common-utils:${common_utils_version}@jar"
api "org.opensearch.client:opensearch-rest-client:${opensearch_version}"
implementation "org.jetbrains.kotlin:kotlin-stdlib:${kotlin_version}"
compileOnly "org.opensearch:opensearch-job-scheduler-spi:${opensearch_build}"
implementation "org.apache.commons:commons-csv:1.10.0"

// Needed for integ tests
zipArchive group: 'org.opensearch.plugin', name:'alerting', version: "${opensearch_build}"
zipArchive group: 'org.opensearch.plugin', name:'opensearch-notifications-core', version: "${opensearch_build}"
zipArchive group: 'org.opensearch.plugin', name:'notifications', version: "${opensearch_build}"

//spotless
implementation('com.google.googlejavaformat:google-java-format:1.17.0') {
exclude group: 'com.google.guava'
}
implementation 'com.google.guava:guava:32.0.1-jre'
zipArchive group: 'org.opensearch.plugin', name:'opensearch-job-scheduler', version: "${opensearch_build}"
}

// RPM & Debian build
Expand Down Expand Up @@ -293,6 +285,22 @@ testClusters.integTest {
}
}
}))
plugin(provider({
new RegularFile() {
@Override
File getAsFile() {
return configurations.zipArchive.asFileTree.matching {
include '**/opensearch-job-scheduler*'
}.singleFile
}
}
}))
nodes.each { node ->
def plugins = node.plugins
def firstPlugin = plugins.get(0)
plugins.remove(0)
plugins.add(firstPlugin)
}
}

run {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,14 @@
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Supplier;
import java.util.Optional;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.cluster.routing.Preference;
import org.opensearch.cluster.metadata.IndexMetadata;
import org.opensearch.core.action.ActionListener;
import org.opensearch.action.ActionRequest;
import org.opensearch.core.action.ActionResponse;
import org.opensearch.action.search.SearchRequest;
import org.opensearch.action.search.SearchResponse;
import org.opensearch.client.Client;
import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
import org.opensearch.cluster.node.DiscoveryNode;
Expand All @@ -38,18 +36,21 @@
import org.opensearch.index.codec.CodecServiceFactory;
import org.opensearch.index.engine.EngineFactory;
import org.opensearch.index.mapper.Mapper;
import org.opensearch.index.query.QueryBuilders;
import org.opensearch.indices.SystemIndexDescriptor;
import org.opensearch.jobscheduler.spi.JobSchedulerExtension;
import org.opensearch.jobscheduler.spi.ScheduledJobParser;
import org.opensearch.jobscheduler.spi.ScheduledJobRunner;
import org.opensearch.plugins.ActionPlugin;
import org.opensearch.plugins.ClusterPlugin;
import org.opensearch.plugins.EnginePlugin;
import org.opensearch.plugins.MapperPlugin;
import org.opensearch.plugins.Plugin;
import org.opensearch.plugins.SearchPlugin;
import org.opensearch.plugins.SystemIndexPlugin;
import org.opensearch.repositories.RepositoriesService;
import org.opensearch.rest.RestController;
import org.opensearch.rest.RestHandler;
import org.opensearch.script.ScriptService;
import org.opensearch.search.builder.SearchSourceBuilder;
import org.opensearch.securityanalytics.action.*;
import org.opensearch.securityanalytics.correlation.index.codec.CorrelationCodecService;
import org.opensearch.securityanalytics.correlation.index.mapper.CorrelationVectorFieldMapper;
Expand All @@ -60,7 +61,18 @@
import org.opensearch.securityanalytics.mapper.IndexTemplateManager;
import org.opensearch.securityanalytics.mapper.MapperService;
import org.opensearch.securityanalytics.model.CustomLogType;
import org.opensearch.securityanalytics.model.ThreatIntelFeedData;
import org.opensearch.securityanalytics.resthandler.*;
import org.opensearch.securityanalytics.threatIntel.DetectorThreatIntelService;
import org.opensearch.securityanalytics.threatIntel.ThreatIntelFeedDataService;
import org.opensearch.securityanalytics.threatIntel.action.PutTIFJobAction;
import org.opensearch.securityanalytics.threatIntel.action.TransportPutTIFJobAction;
import org.opensearch.securityanalytics.threatIntel.common.TIFLockService;
import org.opensearch.securityanalytics.threatIntel.feedMetadata.BuiltInTIFMetadataLoader;
import org.opensearch.securityanalytics.threatIntel.jobscheduler.TIFJobParameter;
import org.opensearch.securityanalytics.threatIntel.jobscheduler.TIFJobParameterService;
import org.opensearch.securityanalytics.threatIntel.jobscheduler.TIFJobRunner;
import org.opensearch.securityanalytics.threatIntel.jobscheduler.TIFJobUpdateService;
import org.opensearch.securityanalytics.transport.*;
import org.opensearch.securityanalytics.model.Rule;
import org.opensearch.securityanalytics.model.Detector;
Expand All @@ -75,7 +87,9 @@
import org.opensearch.threadpool.ThreadPool;
import org.opensearch.watcher.ResourceWatcherService;

public class SecurityAnalyticsPlugin extends Plugin implements ActionPlugin, MapperPlugin, SearchPlugin, EnginePlugin, ClusterPlugin {
import static org.opensearch.securityanalytics.threatIntel.jobscheduler.TIFJobParameter.THREAT_INTEL_DATA_INDEX_NAME_PREFIX;

public class SecurityAnalyticsPlugin extends Plugin implements ActionPlugin, MapperPlugin, SearchPlugin, EnginePlugin, ClusterPlugin, SystemIndexPlugin, JobSchedulerExtension {

private static final Logger log = LogManager.getLogger(SecurityAnalyticsPlugin.class);

Expand All @@ -91,6 +105,8 @@ public class SecurityAnalyticsPlugin extends Plugin implements ActionPlugin, Map
public static final String CORRELATION_RULES_BASE_URI = PLUGINS_BASE_URI + "/correlation/rules";

public static final String CUSTOM_LOG_TYPE_URI = PLUGINS_BASE_URI + "/logtype";
public static final String JOB_INDEX_NAME = ".opensearch-sap--job";
public static final Map<String, Object> TIF_JOB_INDEX_SETTING = Map.of(IndexMetadata.SETTING_NUMBER_OF_SHARDS, 1, IndexMetadata.SETTING_AUTO_EXPAND_REPLICAS, "0-all", IndexMetadata.SETTING_INDEX_HIDDEN, true);

private CorrelationRuleIndices correlationRuleIndices;

Expand All @@ -113,8 +129,12 @@ public class SecurityAnalyticsPlugin extends Plugin implements ActionPlugin, Map
private BuiltinLogTypeLoader builtinLogTypeLoader;

private LogTypeService logTypeService;
@Override
public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings){
return Collections.singletonList(new SystemIndexDescriptor(THREAT_INTEL_DATA_INDEX_NAME_PREFIX, "System index used for threat intel data"));
}


private Client client;

@Override
public Collection<Object> createComponents(Client client,
Expand All @@ -128,7 +148,9 @@ public Collection<Object> createComponents(Client client,
NamedWriteableRegistry namedWriteableRegistry,
IndexNameExpressionResolver indexNameExpressionResolver,
Supplier<RepositoriesService> repositoriesServiceSupplier) {

builtinLogTypeLoader = new BuiltinLogTypeLoader();
BuiltInTIFMetadataLoader builtInTIFMetadataLoader = new BuiltInTIFMetadataLoader();
logTypeService = new LogTypeService(client, clusterService, xContentRegistry, builtinLogTypeLoader);
detectorIndices = new DetectorIndices(client.admin(), clusterService, threadPool);
ruleTopicIndices = new RuleTopicIndices(client, clusterService, logTypeService);
Expand All @@ -138,12 +160,18 @@ public Collection<Object> createComponents(Client client,
mapperService = new MapperService(client, clusterService, indexNameExpressionResolver, indexTemplateManager, logTypeService);
ruleIndices = new RuleIndices(logTypeService, client, clusterService, threadPool);
correlationRuleIndices = new CorrelationRuleIndices(client, clusterService);
this.client = client;
ThreatIntelFeedDataService threatIntelFeedDataService = new ThreatIntelFeedDataService(clusterService, client, indexNameExpressionResolver, xContentRegistry);
DetectorThreatIntelService detectorThreatIntelService = new DetectorThreatIntelService(threatIntelFeedDataService, client, xContentRegistry);
TIFJobParameterService tifJobParameterService = new TIFJobParameterService(client, clusterService);
TIFJobUpdateService tifJobUpdateService = new TIFJobUpdateService(clusterService, tifJobParameterService, threatIntelFeedDataService, builtInTIFMetadataLoader);
TIFLockService threatIntelLockService = new TIFLockService(clusterService, client);

TIFJobRunner.getJobRunnerInstance().initialize(clusterService, tifJobUpdateService, tifJobParameterService, threatIntelLockService, threadPool, detectorThreatIntelService);

return List.of(
detectorIndices, correlationIndices, correlationRuleIndices, ruleTopicIndices, customLogTypeIndices, ruleIndices,
mapperService, indexTemplateManager, builtinLogTypeLoader
);
mapperService, indexTemplateManager, builtinLogTypeLoader, builtInTIFMetadataLoader, threatIntelFeedDataService, detectorThreatIntelService,
tifJobUpdateService, tifJobParameterService, threatIntelLockService);
}

@Override
Expand Down Expand Up @@ -187,13 +215,34 @@ public List<RestHandler> getRestHandlers(Settings settings,
);
}

@Override
public String getJobType() {
return "opensearch_sap_job";
}

@Override
public String getJobIndex() {
return JOB_INDEX_NAME;
}

@Override
public ScheduledJobRunner getJobRunner() {
return TIFJobRunner.getJobRunnerInstance();
}

@Override
public ScheduledJobParser getJobParser() {
return (parser, id, jobDocVersion) -> TIFJobParameter.PARSER.parse(parser, null);
}

@Override
public List<NamedXContentRegistry.Entry> getNamedXContent() {
return List.of(
Detector.XCONTENT_REGISTRY,
DetectorInput.XCONTENT_REGISTRY,
Rule.XCONTENT_REGISTRY,
CustomLogType.XCONTENT_REGISTRY
CustomLogType.XCONTENT_REGISTRY,
ThreatIntelFeedData.XCONTENT_REGISTRY
);
}

Expand Down Expand Up @@ -243,7 +292,10 @@ public List<Setting<?>> getSettings() {
SecurityAnalyticsSettings.IS_CORRELATION_INDEX_SETTING,
SecurityAnalyticsSettings.CORRELATION_TIME_WINDOW,
SecurityAnalyticsSettings.DEFAULT_MAPPING_SCHEMA,
SecurityAnalyticsSettings.ENABLE_WORKFLOW_USAGE
SecurityAnalyticsSettings.ENABLE_WORKFLOW_USAGE,
SecurityAnalyticsSettings.TIF_UPDATE_INTERVAL,
SecurityAnalyticsSettings.BATCH_SIZE,
SecurityAnalyticsSettings.THREAT_INTEL_TIMEOUT
);
}

Expand Down Expand Up @@ -274,7 +326,8 @@ public List<Setting<?>> getSettings() {
new ActionPlugin.ActionHandler<>(SearchCorrelationRuleAction.INSTANCE, TransportSearchCorrelationRuleAction.class),
new ActionHandler<>(IndexCustomLogTypeAction.INSTANCE, TransportIndexCustomLogTypeAction.class),
new ActionHandler<>(SearchCustomLogTypeAction.INSTANCE, TransportSearchCustomLogTypeAction.class),
new ActionHandler<>(DeleteCustomLogTypeAction.INSTANCE, TransportDeleteCustomLogTypeAction.class)
new ActionHandler<>(DeleteCustomLogTypeAction.INSTANCE, TransportDeleteCustomLogTypeAction.class),
new ActionHandler<>(PutTIFJobAction.INSTANCE, TransportPutTIFJobAction.class)
);
}

Expand All @@ -292,5 +345,5 @@ public void onFailure(Exception e) {
log.warn("Failed to initialize LogType config index and builtin log types");
}
});
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
.field(Detector.INPUTS_FIELD, detector.getInputs())
.field(Detector.LAST_UPDATE_TIME_FIELD, detector.getLastUpdateTime())
.field(Detector.ENABLED_TIME_FIELD, detector.getEnabledTime())
.field(Detector.THREAT_INTEL_ENABLED_FIELD, detector.getThreatIntelEnabled())
.endObject();
return builder.endObject();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,45 +4,49 @@
*/
package org.opensearch.securityanalytics.action;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.common.xcontent.XContentType;
import org.opensearch.core.action.ActionResponse;
import org.opensearch.core.common.Strings;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.securityanalytics.mapper.MapperUtils;
import org.opensearch.core.common.io.stream.Writeable;
import org.opensearch.core.xcontent.ToXContentObject;
import org.opensearch.core.xcontent.XContentBuilder;
import org.opensearch.securityanalytics.mapper.MapperUtils;
import org.opensearch.securityanalytics.model.LogType;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.opensearch.core.action.ActionResponse;
import org.opensearch.core.common.Strings;
import org.opensearch.core.common.io.stream.StreamInput;
import org.opensearch.core.common.io.stream.StreamOutput;
import org.opensearch.common.xcontent.XContentType;

public class GetMappingsViewResponse extends ActionResponse implements ToXContentObject {

private Logger logger = LogManager.getLogger(GetMappingsViewResponse.class);

public static final String UNMAPPED_INDEX_FIELDS = "unmapped_index_fields";
public static final String UNMAPPED_FIELD_ALIASES = "unmapped_field_aliases";
public static final String THREAT_INTEL_FIELD_ALIASES = "threat_intel_field_aliases";

private Map<String, Object> aliasMappings;
List<String> unmappedIndexFields;
List<String> unmappedFieldAliases;

/** This field sheds information on the list of field aliases that need to be mapped for a given IoC.
* For ex. one element for windows logtype would be
*{"ioc": "ip", "fields": ["destination.ip","source.ip"]} where "ip" is the IoC and the required field aliases to be mapped for
* threat intel based detection are "destination.ip","source.ip".*/
private List<LogType.IocFields> threatIntelFieldAliases;

public GetMappingsViewResponse(
Map<String, Object> aliasMappings,
List<String> unmappedIndexFields,
List<String> unmappedFieldAliases
List<String> unmappedFieldAliases,
List<LogType.IocFields> threatIntelFieldAliases
) {
this.aliasMappings = aliasMappings;
this.unmappedIndexFields = unmappedIndexFields;
this.unmappedFieldAliases = unmappedFieldAliases;
this.threatIntelFieldAliases = threatIntelFieldAliases;
}

public GetMappingsViewResponse(StreamInput in) throws IOException {
Expand All @@ -64,6 +68,7 @@ public GetMappingsViewResponse(StreamInput in) throws IOException {
unmappedFieldAliases.add(in.readString());
}
}
this.threatIntelFieldAliases = in.readList(LogType.IocFields::readFrom);
}

@Override
Expand All @@ -90,6 +95,12 @@ public void writeTo(StreamOutput out) throws IOException {
} else {
out.writeVInt(0);
}
if(threatIntelFieldAliases!=null) {
out.writeBoolean(true);
out.writeCollection(threatIntelFieldAliases);
} else {
out.writeBoolean(false);
}
}

@Override
Expand All @@ -104,6 +115,9 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
if (unmappedFieldAliases != null && unmappedFieldAliases.size() > 0) {
builder.field(UNMAPPED_FIELD_ALIASES, unmappedFieldAliases);
}
if(threatIntelFieldAliases != null && false == threatIntelFieldAliases.isEmpty()) {
builder.field(THREAT_INTEL_FIELD_ALIASES, threatIntelFieldAliases);
}
return builder.endObject();
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
.field(Detector.TRIGGERS_FIELD, detector.getTriggers())
.field(Detector.LAST_UPDATE_TIME_FIELD, detector.getLastUpdateTime())
.field(Detector.ENABLED_TIME_FIELD, detector.getEnabledTime())
.field(Detector.THREAT_INTEL_ENABLED_FIELD, detector.getThreatIntelEnabled())
.endObject();
return builder.endObject();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import java.nio.charset.StandardCharsets;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
Expand Down Expand Up @@ -663,6 +664,13 @@ public void getRuleFieldMappings(String logType, ActionListener<Map<String, Stri
return;
}

public List<LogType.IocFields> getIocFieldsList(String logType) {
LogType logTypeByName = builtinLogTypeLoader.getLogTypeByName(logType);
if(logTypeByName == null)
return Collections.emptyList();
return logTypeByName.getIocFieldsList();
}

public void getRuleFieldMappingsAllSchemas(String logType, ActionListener<List<LogType.Mapping>> listener) {

if (builtinLogTypeLoader.logTypeExists(logType)) {
Expand Down
Loading

0 comments on commit eccf388

Please sign in to comment.