Implement Threat Intel Monitor Input and Triggers #1073
Conversation
Signed-off-by: Subhobrata Dey <[email protected]>
Signed-off-by: Surya Sashank Nistala <[email protected]>
eirsep
requested review from
amsiglan,
AWSHurneyt,
getsaurabh02,
lezzago,
praveensameneni,
sbcd90,
jowg-amazon,
engechas,
goyamegh and
riysaxen-amzn
as code owners
| import org.opensearch.alerting.spi.RemoteMonitorRunner; | ||
| import org.opensearch.commons.alerting.action.DocLevelMonitorFanOutResponse; | ||
|
|
||
| public class SampleRemoteDocLevelMonitorRunner extends RemoteMonitorRunner { |
There was a problem hiding this comment.
do we change this class name?
| public static final String REMOTE_DOC_LEVEL_MONITOR_ACTION_NAME = "cluster:admin/security_analytics/threatIntel/monitor/fanout"; | ||
| public static final String THREAT_INTEL_MONITOR_TYPE = "ti_doc_level_monitor"; | ||
|
|
||
| public static final String SAMPLE_REMOTE_DOC_LEVEL_MONITOR_RUNNER_INDEX = ".opensearch-alerting-sample-remote-doc-level-monitor"; |
There was a problem hiding this comment.
do we remove this variable?
There was a problem hiding this comment.
i will follow up with the full impl
all this will change or be removed
| import java.util.HashMap; | ||
| import java.util.Map; | ||
|
|
||
| public class TransportRemoteDocLevelMonitorFanOutAction extends HandledTransportAction<DocLevelMonitorFanOutRequest, DocLevelMonitorFanOutResponse> { |
There was a problem hiding this comment.
do we rename this to ThreatIntelMonitorFanout?
There was a problem hiding this comment.
i will follow up with the full impl
all this will change or be removed
| Settings settings, | ||
| ActionFilters actionFilters | ||
| ) { | ||
| super(SampleRemoteDocLevelMonitorRunner.REMOTE_DOC_LEVEL_MONITOR_ACTION_NAME, transportService, actionFilters, DocLevelMonitorFanOutRequest::new); |
There was a problem hiding this comment.
do we rename Action Name variable with Threat Intel context?
There was a problem hiding this comment.
i will follow up with the full impl
all this will change or be removed
| RemoteDocLevelMonitorInput input = (RemoteDocLevelMonitorInput) monitor.getInputs().get(0); | ||
| BytesReference customInputSerialized = input.getInput(); | ||
| StreamInput sin = StreamInput.wrap(customInputSerialized.toBytesRef().bytes); | ||
| ThreatIntelInput sampleRemoteDocLevelMonitorInput = new ThreatIntelInput(sin); |
There was a problem hiding this comment.
do we change variable name here sampleRemoteDocLevelMonitorInput?
There was a problem hiding this comment.
i will follow up with the full impl
all this will change or be removed
| @@ -0,0 +1,97 @@ | |||
| package org.opensearch.securityanalytics.threatIntel.model.monitor; | |||
There was a problem hiding this comment.
can this class be removed?
There was a problem hiding this comment.
i will follow up with the full impl
all this will change or be removed
eirsep
merged commit 6766547
into
opensearch-project:feature/threat_intel
| IndexThreatIntelMonitorResponse response = getIndexThreatIntelMonitorResponse(r, user); | ||
| listener.onResponse(response); | ||
| }, e -> { | ||
| log.error("failed to creat threat intel monitor", e); |
There was a problem hiding this comment.
nit: misspelled create
| String index = docLevelMonitorInput.getIndices().get(0); | ||
|
|
||
|
|
||
| ((Map<String, Object>) lastRunContext.get(index)).put("0", 0); |
There was a problem hiding this comment.
why is this putting 0 in the map?
…#1073) * wip index monitor still fails * fix remote monitor setup in security-analytics Signed-off-by: Subhobrata Dey <[email protected]> * wip threat intel trigger * add remote monitor triggers Signed-off-by: Surya Sashank Nistala <[email protected]> --------- Signed-off-by: Subhobrata Dey <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]> Co-authored-by: Subhobrata Dey <[email protected]>
Description
Implement Threat Intel Monitor Input and Triggers using remote Monitor interface
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.