add search ioc findings api

Signed-off-by: Subhobrata Dey <[email protected]>
sbcd90 · Jun 17, 2024 · 2976be0 · 2976be0
1 parent 42372a0
commit 2976be0
Show file tree

Hide file tree

Showing 9 changed files with 599 additions and 5 deletions.
diff --git a/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java b/src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java
@@ -66,17 +66,45 @@
 import org.opensearch.securityanalytics.model.CustomLogType;
 import org.opensearch.securityanalytics.model.IocDao;
 import org.opensearch.securityanalytics.model.ThreatIntelFeedData;
-import org.opensearch.securityanalytics.resthandler.*;
+import org.opensearch.securityanalytics.resthandler.RestAcknowledgeAlertsAction;
+import org.opensearch.securityanalytics.resthandler.RestCreateIndexMappingsAction;
+import org.opensearch.securityanalytics.resthandler.RestDeleteCorrelationRuleAction;
+import org.opensearch.securityanalytics.resthandler.RestDeleteCustomLogTypeAction;
+import org.opensearch.securityanalytics.resthandler.RestDeleteDetectorAction;
+import org.opensearch.securityanalytics.resthandler.RestDeleteRuleAction;
+import org.opensearch.securityanalytics.resthandler.RestGetAlertsAction;
+import org.opensearch.securityanalytics.resthandler.RestGetAllRuleCategoriesAction;
+import org.opensearch.securityanalytics.resthandler.RestGetDetectorAction;
+import org.opensearch.securityanalytics.resthandler.RestGetFindingsAction;
+import org.opensearch.securityanalytics.resthandler.RestGetIndexMappingsAction;
+import org.opensearch.securityanalytics.resthandler.RestGetMappingsViewAction;
+import org.opensearch.securityanalytics.resthandler.RestIndexCorrelationRuleAction;
+import org.opensearch.securityanalytics.resthandler.RestIndexCustomLogTypeAction;
+import org.opensearch.securityanalytics.resthandler.RestIndexDetectorAction;
+import org.opensearch.securityanalytics.resthandler.RestIndexRuleAction;
+import org.opensearch.securityanalytics.resthandler.RestListCorrelationAction;
+import org.opensearch.securityanalytics.resthandler.RestSearchCorrelationAction;
+import org.opensearch.securityanalytics.resthandler.RestSearchCorrelationRuleAction;
+import org.opensearch.securityanalytics.resthandler.RestSearchCustomLogTypeAction;
+import org.opensearch.securityanalytics.resthandler.RestSearchDetectorAction;
+import org.opensearch.securityanalytics.resthandler.RestSearchRuleAction;
+import org.opensearch.securityanalytics.resthandler.RestUpdateIndexMappingsAction;
+import org.opensearch.securityanalytics.resthandler.RestValidateRulesAction;
+import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
+import org.opensearch.securityanalytics.threatIntel.action.GetIocFindingsAction;
+import org.opensearch.securityanalytics.threatIntel.action.PutTIFJobAction;
 import org.opensearch.securityanalytics.threatIntel.action.SAGetTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.action.SAIndexTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.dao.SATIFSourceConfigDao;
 import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfig;
+import org.opensearch.securityanalytics.threatIntel.resthandler.RestGetIocFindingsAction;
 import org.opensearch.securityanalytics.threatIntel.resthandler.RestGetTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.resthandler.RestIndexTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.service.DetectorThreatIntelService;
 import org.opensearch.securityanalytics.threatIntel.service.SATIFSourceConfigService;
 import org.opensearch.securityanalytics.threatIntel.service.ThreatIntelFeedDataService;
 import org.opensearch.securityanalytics.threatIntel.action.PutTIFJobAction;
+import org.opensearch.securityanalytics.threatIntel.transport.TransportGetIocFindingsAction;
 import org.opensearch.securityanalytics.threatIntel.transport.TransportGetTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.transport.TransportIndexTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.transport.TransportPutTIFJobAction;
@@ -243,7 +271,8 @@ public List<RestHandler> getRestHandlers(Settings settings,
                 new RestSearchCustomLogTypeAction(),
                 new RestDeleteCustomLogTypeAction(),
                 new RestIndexTIFSourceConfigAction(),
-                new RestGetTIFSourceConfigAction()
+                new RestGetTIFSourceConfigAction(),
+                new RestGetIocFindingsAction()
         );
     }
 
@@ -380,7 +409,8 @@ public List<Setting<?>> getSettings() {
                 new ActionHandler<>(DeleteCustomLogTypeAction.INSTANCE, TransportDeleteCustomLogTypeAction.class),
                 new ActionHandler<>(PutTIFJobAction.INSTANCE, TransportPutTIFJobAction.class),
                 new ActionHandler<>(SAIndexTIFSourceConfigAction.INSTANCE, TransportIndexTIFSourceConfigAction.class),
-                new ActionHandler<>(SAGetTIFSourceConfigAction.INSTANCE, TransportGetTIFSourceConfigAction.class)
+                new ActionHandler<>(SAGetTIFSourceConfigAction.INSTANCE, TransportGetTIFSourceConfigAction.class),
+                new ActionHandler<>(GetIocFindingsAction.INSTANCE, TransportGetIocFindingsAction.class)
         );
     }
 

diff --git a/src/main/java/org/opensearch/securityanalytics/model/threatintel/IocMatchWithDocs.java b/src/main/java/org/opensearch/securityanalytics/model/threatintel/IocMatchWithDocs.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.securityanalytics.model.threatintel;
+
+import org.opensearch.commons.alerting.model.FindingDocument;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.common.io.stream.Writeable;
+import org.opensearch.core.xcontent.ToXContent;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.core.xcontent.XContentParser;
+import org.opensearch.core.xcontent.XContentParserUtils;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+public class IocMatchWithDocs implements Writeable, ToXContent {
+
+    private static final String IOC_MATCH_FIELD = "ioc_finding";
+
+    private static final String DOCUMENTS_FIELD = "document_list";
+
+    private IocMatch iocMatch;
+
+    private List<FindingDocument> documents;
+
+    public IocMatchWithDocs(IocMatch iocMatch, List<FindingDocument> documents) {
+        super();
+        this.iocMatch = iocMatch;
+        this.documents = documents;
+    }
+
+    public IocMatchWithDocs(StreamInput sin) throws IOException {
+        this(
+                IocMatch.readFrom(sin),
+                sin.readList(FindingDocument::readFrom)
+        );
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        iocMatch.writeTo(out);
+        out.writeCollection(documents);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject()
+                .field(IOC_MATCH_FIELD, iocMatch)
+                .field(DOCUMENTS_FIELD, documents);
+        return builder.endObject();
+    }
+
+    public static IocMatchWithDocs parse(XContentParser xcp) throws IOException {
+        IocMatch iocMatch = null;
+        List<FindingDocument> documents = new ArrayList<>();
+
+        XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_OBJECT, xcp.currentToken(), xcp);
+        while (xcp.nextToken() != XContentParser.Token.END_OBJECT) {
+            String fieldName = xcp.currentName();
+            xcp.nextToken();
+
+            switch (fieldName) {
+                case IOC_MATCH_FIELD:
+                    iocMatch = IocMatch.parse(xcp);
+                    break;
+                case DOCUMENTS_FIELD:
+                    XContentParserUtils.ensureExpectedToken(XContentParser.Token.START_ARRAY, xcp.currentToken(), xcp);
+                    while (xcp.nextToken() != XContentParser.Token.END_ARRAY) {
+                        documents.add(FindingDocument.parse(xcp));
+                    }
+                    break;
+                default:
+                    xcp.skipChildren();
+            }
+        }
+        return new IocMatchWithDocs(iocMatch, documents);
+    }
+
+    public static IocMatchWithDocs readFrom(StreamInput sin) throws IOException {
+        return new IocMatchWithDocs(sin);
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/action/GetIocFindingsAction.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/action/GetIocFindingsAction.java
@@ -0,0 +1,17 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.securityanalytics.threatIntel.action;
+
+import org.opensearch.action.ActionType;
+
+public class GetIocFindingsAction extends ActionType<GetIocFindingsResponse> {
+
+    public static final GetIocFindingsAction INSTANCE = new GetIocFindingsAction();
+    public static final String NAME = "cluster:admin/opensearch/securityanalytics/ioc/findings/get";
+
+    public GetIocFindingsAction() {
+        super(NAME, GetIocFindingsResponse::new);
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/threatIntel/action/GetIocFindingsRequest.java b/src/main/java/org/opensearch/securityanalytics/threatIntel/action/GetIocFindingsRequest.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.securityanalytics.threatIntel.action;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.action.ValidateActions;
+import org.opensearch.commons.alerting.model.Table;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.util.List;
+import java.util.Locale;
+
+public class GetIocFindingsRequest extends ActionRequest {
+
+    private List<String> findingIds;
+
+    private Instant startTime;
+
+    private Instant endTime;
+
+    private String threatIntelMonitorId;
+
+    private Table table;
+
+    public static final String THREAT_INTEL_MONITOR_ID = "monitor_id";
+
+    public GetIocFindingsRequest(String threatIntelMonitorId) {
+        super();
+        this.threatIntelMonitorId = threatIntelMonitorId;
+    }
+
+    public GetIocFindingsRequest(StreamInput sin) throws IOException {
+        this(
+                sin.readOptionalStringList(),
+                sin.readOptionalInstant(),
+                sin.readOptionalInstant(),
+                sin.readOptionalString(),
+                Table.readFrom(sin)
+        );
+    }
+
+    public GetIocFindingsRequest(List<String> findingIds,
+                                 Instant startTime,
+                                 Instant endTime,
+                                 String threatIntelMonitorId,
+                                 Table table) {
+        this.findingIds = findingIds;
+        this.startTime = startTime;
+        this.endTime = endTime;
+        this.threatIntelMonitorId = threatIntelMonitorId;
+        this.table = table;
+    }
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (threatIntelMonitorId != null && threatIntelMonitorId.isEmpty()) {
+            validationException = ValidateActions.addValidationError(String.format(Locale.getDefault(),
+                    "threat intel monitor id is missing"), validationException);
+        } else if (startTime != null && endTime != null && startTime.isAfter(endTime)) {
+            validationException = ValidateActions.addValidationError(String.format(Locale.getDefault(),
+                    "startTime should be less than endTime"), validationException);
+        }
+        return validationException;
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeOptionalStringCollection(findingIds);
+        out.writeOptionalInstant(startTime);
+        out.writeOptionalInstant(endTime);
+        out.writeOptionalString(threatIntelMonitorId);
+        table.writeTo(out);
+    }
+
+    public List<String> getFindingIds() {
+        return findingIds;
+    }
+
+    public Instant getStartTime() {
+        return startTime;
+    }
+
+    public Instant getEndTime() {
+        return endTime;
+    }
+
+    public String getThreatIntelMonitorId() {
+        return threatIntelMonitorId;
+    }
+
+    public Table getTable() {
+        return table;
+    }
+}
diff --git a/...main/java/org/opensearch/securityanalytics/threatIntel/action/GetIocFindingsResponse.java b/...main/java/org/opensearch/securityanalytics/threatIntel/action/GetIocFindingsResponse.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.securityanalytics.threatIntel.action;
+
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.securityanalytics.model.threatintel.IocMatch;
+import org.opensearch.securityanalytics.model.threatintel.IocMatchWithDocs;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+public class GetIocFindingsResponse extends ActionResponse implements ToXContentObject {
+
+    private static final String TOTAL_IOC_FINDINGS_FIELD = "total_findings";
+
+    private static final String IOC_FINDINGS_FIELD = "ioc_findings";
+
+    private Integer totalFindings;
+
+    private List<IocMatchWithDocs> iocFindings;
+
+    public GetIocFindingsResponse(Integer totalFindings, List<IocMatchWithDocs> iocFindings) {
+        super();
+        this.totalFindings = totalFindings;
+        this.iocFindings = iocFindings;
+    }
+
+    public GetIocFindingsResponse(StreamInput sin) throws IOException {
+        this(
+                sin.readInt(),
+                Collections.unmodifiableList(sin.readList(IocMatchWithDocs::new))
+        );
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeInt(totalFindings);
+        out.writeCollection(iocFindings);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject()
+                .field(TOTAL_IOC_FINDINGS_FIELD, totalFindings)
+                .field(IOC_FINDINGS_FIELD, iocFindings);
+        return builder.endObject();
+    }
+
+    public Integer getTotalFindings() {
+        return totalFindings;
+    }
+
+    public List<IocMatchWithDocs> getIocFindings() {
+        return iocFindings;
+    }
+}