Draft of IOC service #1048

AWSHurneyt · 2024-05-29T01:08:17Z

Description

Implemented draft of IocService.

Issues Resolved

[List any issues this PR will resolve]

Check List

New functionality includes testing.
- All tests pass
New functionality has been documented.
- New functionality has javadoc added
Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java

src/test/java/org/opensearch/securityanalytics/services/IocServiceIT.java

src/main/java/org/opensearch/securityanalytics/services/IocService.java

src/main/java/org/opensearch/securityanalytics/model/IocDao.java

eirsep · 2024-05-29T18:46:13Z

src/main/java/org/opensearch/securityanalytics/services/IocService.java

+     * @return TRUE if the index is an IOC-related system index, and exists; else returns FALSE.
+     */
+    public boolean hasIocSystemIndex(String index) {
+        return index.startsWith(IOC_INDEX_NAME_BASE) && this.clusterService.state().routingTable().hasIndex(index);


why do we have to do index.startsWith(IOC_INDEX_NAME_BASE) and why is method public?

@eirsep I added the startsWith check just to confirm that the function is only being used to create indexes for the purposes of this feature. Do you think that check should be removed?

I implemented it as public just out of habit in case I might need it elsewhere; I'll change it to private in a separate PR as I'll need to refactor the tests that use it (unless we're fine with leaving it as a public function).

src/main/java/org/opensearch/securityanalytics/services/IocService.java

src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java

src/main/java/org/opensearch/securityanalytics/model/IocDao.java

src/main/java/org/opensearch/securityanalytics/services/IocService.java

build.gradle

eirsep · 2024-06-05T19:37:14Z

src/main/resources/mappings/ioc_mapping.json

+          "type": "keyword"
+        },
+        "name": {
+          "type": "text",


why cant name be keyword like id?

Revised to keyword type.

eirsep · 2024-06-05T19:38:12Z

src/main/resources/mappings/ioc_mapping.json

+        },
+        "created": {
+          "type": "date",
+          "format": "strict_date_optional_time||epoch_millis"


do we need this restriction?

We use similar format for the mappings of some other plugin assets (e.g., detectors). Did you have another format in mind?

For now, I've revised this to strict_date_time||epoch_millis. My thoughts are that the create date should be required whereas the modified date could be null if the entry hasn't been updated.

eirsep · 2024-06-05T19:38:22Z

src/main/resources/mappings/ioc_mapping.json

+        },
+        "modified": {
+          "type": "date",
+          "format": "strict_date_optional_time||epoch_millis"


do we need this restriction?

We use similar format for the mappings of some other plugin assets (e.g., detectors). Did you have another format in mind?

eirsep

can you check some minor comments?

jowg-amazon · 2024-06-06T01:18:34Z

src/main/java/org/opensearch/securityanalytics/action/FetchIocsActionResponse.java

+
+    public FetchIocsActionResponse(List<IOC> iocs) {
+        super();
+        iocs.forEach( ioc -> this.iocs.add(new IocDto(ioc)));


Should this be done in transport/service class?

@jowg-amazon It can be. The FetchIocsActionResponse object is just a placeholder I've been using to test the changes. We can refactor and remove it before launch.

Signed-off-by: AWSHurneyt <[email protected]>

AWSHurneyt · 2024-06-07T21:48:09Z

can you check some minor comments?

@eirsep Responded.

eirsep · 2024-06-13T00:12:26Z

src/main/java/org/opensearch/securityanalytics/action/FetchIocsActionResponse.java

+import java.util.Collections;
+import java.util.List;
+
+public class FetchIocsActionResponse extends ActionResponse implements ToXContentObject {


NIT: let's keep consistent naming: ListIocsResponse?

eirsep · 2024-06-13T00:13:13Z

src/main/java/org/opensearch/securityanalytics/model/IOC.java

-
-public class IocDao implements Writeable, ToXContentObject {
-    private static final Logger logger = LogManager.getLogger(IocDao.class);
+public class IOC implements Writeable, ToXContentObject {


how come Ioc is a concrete class and also STIX2Ioc?

eirsep · 2024-06-13T00:14:18Z

src/main/java/org/opensearch/securityanalytics/model/IocDto.java

+                .timeField(IOC.MODIFIED_FIELD, modified)
+                .field(IOC.DESCRIPTION_FIELD, description)
+                .field(IOC.LABELS_FIELD, labels)
+                .field(IOC.FEED_ID_FIELD, feedId)
                .endObject();
    }

    public static IocDto parse(XContentParser xcp, String id) throws IOException {


this defeats the purpose of having separate classes for DTO and the model.. if there is ever a divergence we would end up having to re-write this method

eirsep

Plz invoke IocService from TIFConfigService

* Removed unused imports. Removed redundant helper function. Signed-off-by: AWSHurneyt <[email protected]> * Added note about system index refactoring. Signed-off-by: AWSHurneyt <[email protected]> * Implemented draft of IocService. Signed-off-by: AWSHurneyt <[email protected]> * Made changes based on PR feedback. Signed-off-by: AWSHurneyt <[email protected]> * Fixed test helper function. Signed-off-by: AWSHurneyt <[email protected]> * Removed unused imports. Signed-off-by: AWSHurneyt <[email protected]> * Adjusted mappings based on PR feedback. Signed-off-by: AWSHurneyt <[email protected]> --------- Signed-off-by: AWSHurneyt <[email protected]>