-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preliminary framework for jobscheduler and datasource #626
Preliminary framework for jobscheduler and datasource #626
Conversation
try { | ||
countDownLatch.await(clusterService.getClusterSettings().get(ThreatIntelSettings.TIMEOUT).getSeconds(), TimeUnit.SECONDS); | ||
return lockReference.get(); | ||
} catch (InterruptedException e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add log.error("Custom Message",e);
where ever we catch exceptions
plz also add a generic catch and handle it accordingly.
/** | ||
* Threat intel datasource state | ||
* | ||
* When data source is created, it starts with CREATING state. Once the first threatIP data is generated, the state changes to AVAILABLE. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once the first threatIP data is generated, the state changes to AVAILABLE.
Is this comment applicable to our use case too?
* Provide a list of static methods related with executors for threat intel | ||
*/ | ||
public class ThreatIntelExecutor { | ||
private static final String THREAD_POOL_NAME = "_plugin_securityanalytics_threatintel_datasource_update"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is threadpool name beginning with _
also this can we shorten _securityanalytics to _sap and remove _threatIntel
try { | ||
countDownLatch.await(clusterService.getClusterSettings().get(ThreatIntelSettings.TIMEOUT).getSeconds(), TimeUnit.SECONDS); | ||
return Optional.ofNullable(lockReference.get()); | ||
} catch (InterruptedException e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log error message
import org.opensearch.common.unit.TimeValue; | ||
|
||
/** | ||
* Settings for Ip2Geo datasource operations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fix comment
public class ThreatIntelSettings { | ||
|
||
// /** | ||
// * Default endpoint to be used in threatIP datasource creation API |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
threat intel*?
/** | ||
* Timeout value for Ip2Geo processor | ||
*/ | ||
public static final Setting<TimeValue> TIMEOUT = Setting.timeSetting( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TIMEOUT is vague. can we rename with more context. what is "index_timeout"
|
||
private String getIndexMapping() { | ||
try { | ||
try (InputStream is = DatasourceDao.class.getResourceAsStream("/mappings/threatintel_datasource.json")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you also push the mapping json
} | ||
} | ||
} catch (IOException e) { | ||
throw new RuntimeException(e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we shouldn't throw runtime exceptoin. we can wrap in securityanalyticsexception
log error message
private static final ParseField DATABASE_FIELD = new ParseField("database"); | ||
private static final ParseField UPDATE_STATS_FIELD = new ParseField("update_stats"); | ||
|
||
private static final ParseField FEED_FORMAT = new ParseField("field_format"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plz add CONTAINED_IOCS_FIELD to store info about list of IOCs contained in a given feed.
private static final ParseField DATABASE_FIELD = new ParseField("database"); | ||
private static final ParseField UPDATE_STATS_FIELD = new ParseField("update_stats"); | ||
|
||
private static final ParseField FEED_FORMAT = new ParseField("field_format"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
plz add mapping json
* @param name name of a datasource | ||
* @return name of a datasource | ||
*/ | ||
private String name; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we mark variables as final wherever possible
build.gradle
Outdated
@@ -32,6 +32,7 @@ buildscript { | |||
|
|||
dependencies { | |||
classpath "org.opensearch.gradle:build-tools:${opensearch_version}" | |||
classpath "io.freefair.gradle:lombok-plugin:6.4.3" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT: not in favor of adding lombok because of one class. can you add manual getters, setters for now.
/** | ||
* Job index name for a datasource | ||
*/ | ||
public static final String JOB_INDEX_NAME = ".scheduler-security_analytics-threatintel-datasource"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename following plugin's index naming convention
checking findings, alerts,detectors indices for naming convention
try { | ||
datasourceUpdateService.deleteUnusedIndices(datasource); | ||
if (DatasourceTask.DELETE_UNUSED_INDICES.equals(datasource.getTask()) == false) { | ||
datasourceUpdateService.updateOrCreateGeoIpData(datasource, renewLock); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename method
} | ||
|
||
/** | ||
* Update threatIp data |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
threat intel*
/** | ||
* Update threatIp data | ||
* | ||
* The first column is ip range field regardless its header name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment n/a
datasource.getDatabase().getFields().toString() | ||
); | ||
} | ||
threatIpDataDao.putGeoIpData(indexName, header, reader.iterator(), renewLock); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can pull latest changes from feature branch and use ThreatIntelFeedData dao for this and rewrite the method
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not reviewing this class right now
Signed-off-by: Joanne Wang <jowg@amazon.com>
a1037b0
to
0419c56
Compare
Signed-off-by: Joanne Wang <jowg@amazon.com>
Signed-off-by: Joanne Wang <jowg@amazon.com>
Signed-off-by: Joanne Wang <jowg@amazon.com>
Signed-off-by: Joanne Wang <jowg@amazon.com>
f6cbebe
to
7ffacb9
Compare
18f4498
into
opensearch-project:feature/threat_intel_feeds
Signed-off-by: Joanne Wang <jowg@amazon.com>
…ject#626) Signed-off-by: Joanne Wang <jowg@amazon.com>
* fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com>
Signed-off-by: Joanne Wang <jowg@amazon.com>
* fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com>
Signed-off-by: Joanne Wang <jowg@amazon.com>
* fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com>
* add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * refactored out unecessary Signed-off-by: Joanne Wang <jowg@amazon.com> * added headers and cleaned up Signed-off-by: Joanne Wang <jowg@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * working on testing Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed the parser and build.gradle Signed-off-by: Joanne Wang <jowg@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add feed metadata config files in src and test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * clean up some tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * adds ioc fields list in log type config files and ioc fields object in LogType POJO * update csv parser and new metadata field Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler interval settings Signed-off-by: Joanne Wang <jowg@amazon.com> * add tests for ioc to fields for each log type Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * removed wildcards Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com>
* add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * refactored out unecessary Signed-off-by: Joanne Wang <jowg@amazon.com> * added headers and cleaned up Signed-off-by: Joanne Wang <jowg@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * working on testing Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed the parser and build.gradle Signed-off-by: Joanne Wang <jowg@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add feed metadata config files in src and test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * clean up some tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * adds ioc fields list in log type config files and ioc fields object in LogType POJO * update csv parser and new metadata field Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler interval settings Signed-off-by: Joanne Wang <jowg@amazon.com> * add tests for ioc to fields for each log type Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * removed wildcards Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <jowg@amazon.com>
* add mapping for indices storing threat intel feed data Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix feed indices mapping Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add feed metadata config files in src and test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * adds ioc fields list in log type config files and ioc fields object in LogType POJO Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix compilation issues in tests Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * test udpate detector disabling threat intel Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add tests for detector creation and updation with threat intel Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel test (#673) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * refactored out unecessary Signed-off-by: Joanne Wang <jowg@amazon.com> * added headers and cleaned up Signed-off-by: Joanne Wang <jowg@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * working on testing Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed the parser and build.gradle Signed-off-by: Joanne Wang <jowg@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add feed metadata config files in src and test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * clean up some tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * adds ioc fields list in log type config files and ioc fields object in LogType POJO * update csv parser and new metadata field Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler interval settings Signed-off-by: Joanne Wang <jowg@amazon.com> * add tests for ioc to fields for each log type Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * removed wildcards Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <jowg@amazon.com> * fix threat intel integ tests and add update detector logic Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * JS for Threat intel feeds - changed extension (#675) * merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed java wildcards and changed update key name Signed-off-by: Joanne Wang <jowg@amazon.com> * integ test failing Signed-off-by: Joanne Wang <jowg@amazon.com> * fix job scheduler params Signed-off-by: Joanne Wang <jowg@amazon.com> * changed extension and has debug messages Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * TIF Job Runner Cleanup (#676) * merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed java wildcards and changed update key name Signed-off-by: Joanne Wang <jowg@amazon.com> * integ test failing Signed-off-by: Joanne Wang <jowg@amazon.com> * fix job scheduler params Signed-off-by: Joanne Wang <jowg@amazon.com> * changed extension and has debug messages Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name Signed-off-by: Joanne Wang <jowg@amazon.com> * removed google commons unused import, updated interval setting, removed rest action Signed-off-by: Joanne Wang <jowg@amazon.com> * removed policy file and updated name for job scheduler Signed-off-by: Joanne Wang <jowg@amazon.com> * responded to comments about parameter validator and TIFMetadata Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored ThreatIntelFeedDataService and changed variables to public static final where possible Signed-off-by: Joanne Wang <jowg@amazon.com> * changed opensearch-sap-threatintel to opensearch-sap-threat-intel Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * fix TIFJobParameter class Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * test detector updation when feed updation job runs Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * removed delete job scheduler code and cleaned up (#678) Signed-off-by: Joanne Wang <jowg@amazon.com> * working integ test (#680) Signed-off-by: Joanne Wang <jowg@amazon.com> * fix timeout of tif job creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * remove unncessary thread forking in put tif job action Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * refactoring code to address review comments Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * detector trigger detection types Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * pull out threat intel rest tests into separate test class Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add detection types testing in detector trigger for rules and threat intel detection scenarios Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add license header Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel field aliases in mapping view response Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix threat intel feed parser Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix workflow failing test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * spotless check failures fixed Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * remove dockerfile (#689) Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <jowg@amazon.com>
* add mapping for indices storing threat intel feed data Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix feed indices mapping Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (opensearch-project#654) * fix doc level query constructor (opensearch-project#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add feed metadata config files in src and test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * adds ioc fields list in log type config files and ioc fields object in LogType POJO Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix compilation issues in tests Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * test udpate detector disabling threat intel Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add tests for detector creation and updation with threat intel Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel test (opensearch-project#673) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (opensearch-project#654) * fix doc level query constructor (opensearch-project#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * refactored out unecessary Signed-off-by: Joanne Wang <jowg@amazon.com> * added headers and cleaned up Signed-off-by: Joanne Wang <jowg@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * working on testing Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed the parser and build.gradle Signed-off-by: Joanne Wang <jowg@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (opensearch-project#654) * fix doc level query constructor (opensearch-project#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add feed metadata config files in src and test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * clean up some tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * adds ioc fields list in log type config files and ioc fields object in LogType POJO * update csv parser and new metadata field Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler interval settings Signed-off-by: Joanne Wang <jowg@amazon.com> * add tests for ioc to fields for each log type Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * removed wildcards Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <jowg@amazon.com> * fix threat intel integ tests and add update detector logic Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * JS for Threat intel feeds - changed extension (opensearch-project#675) * merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed java wildcards and changed update key name Signed-off-by: Joanne Wang <jowg@amazon.com> * integ test failing Signed-off-by: Joanne Wang <jowg@amazon.com> * fix job scheduler params Signed-off-by: Joanne Wang <jowg@amazon.com> * changed extension and has debug messages Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * TIF Job Runner Cleanup (opensearch-project#676) * merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed java wildcards and changed update key name Signed-off-by: Joanne Wang <jowg@amazon.com> * integ test failing Signed-off-by: Joanne Wang <jowg@amazon.com> * fix job scheduler params Signed-off-by: Joanne Wang <jowg@amazon.com> * changed extension and has debug messages Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name Signed-off-by: Joanne Wang <jowg@amazon.com> * removed google commons unused import, updated interval setting, removed rest action Signed-off-by: Joanne Wang <jowg@amazon.com> * removed policy file and updated name for job scheduler Signed-off-by: Joanne Wang <jowg@amazon.com> * responded to comments about parameter validator and TIFMetadata Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored ThreatIntelFeedDataService and changed variables to public static final where possible Signed-off-by: Joanne Wang <jowg@amazon.com> * changed opensearch-sap-threatintel to opensearch-sap-threat-intel Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * fix TIFJobParameter class Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * test detector updation when feed updation job runs Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * removed delete job scheduler code and cleaned up (opensearch-project#678) Signed-off-by: Joanne Wang <jowg@amazon.com> * working integ test (opensearch-project#680) Signed-off-by: Joanne Wang <jowg@amazon.com> * fix timeout of tif job creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * remove unncessary thread forking in put tif job action Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * refactoring code to address review comments Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * detector trigger detection types Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * pull out threat intel rest tests into separate test class Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add detection types testing in detector trigger for rules and threat intel detection scenarios Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add license header Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel field aliases in mapping view response Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix threat intel feed parser Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix workflow failing test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * spotless check failures fixed Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * remove dockerfile (opensearch-project#689) Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <jowg@amazon.com>
* add mapping for indices storing threat intel feed data Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix feed indices mapping Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (opensearch-project#654) * fix doc level query constructor (opensearch-project#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add feed metadata config files in src and test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * adds ioc fields list in log type config files and ioc fields object in LogType POJO Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix compilation issues in tests Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * test udpate detector disabling threat intel Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add tests for detector creation and updation with threat intel Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel test (opensearch-project#673) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (opensearch-project#654) * fix doc level query constructor (opensearch-project#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * refactored out unecessary Signed-off-by: Joanne Wang <jowg@amazon.com> * added headers and cleaned up Signed-off-by: Joanne Wang <jowg@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * working on testing Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed the parser and build.gradle Signed-off-by: Joanne Wang <jowg@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * create doc level query from threat intel feed data index docs" Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Threat intel feeds job runner and unit tests (opensearch-project#654) * fix doc level query constructor (opensearch-project#651) Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threatIntelEnabled field in detector. Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel feed service and searching feeds Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * Preliminary framework for jobscheduler and datasource (opensearch-project#626) Signed-off-by: Joanne Wang <jowg@amazon.com> * with listener and processor Signed-off-by: Joanne Wang <jowg@amazon.com> * removed actions Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * added parser Signed-off-by: Joanne Wang <jowg@amazon.com> * add unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored class names Signed-off-by: Joanne Wang <jowg@amazon.com> * before moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * after moving db Signed-off-by: Joanne Wang <jowg@amazon.com> * added actions to plugin and removed user schedule Signed-off-by: Joanne Wang <jowg@amazon.com> * unit tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fix build error Signed-off-by: Joanne Wang <jowg@amazon.com> * changed transport naming Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler code with threat intel feed integration in detectors Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * converge job scheduler and detector threat intel code Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add feed metadata config files in src and test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * clean up some tests Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * adds ioc fields list in log type config files and ioc fields object in LogType POJO * update csv parser and new metadata field Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler interval settings Signed-off-by: Joanne Wang <jowg@amazon.com> * add tests for ioc to fields for each log type Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * removed wildcards Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <jowg@amazon.com> * fix threat intel integ tests and add update detector logic Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * JS for Threat intel feeds - changed extension (opensearch-project#675) * merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed java wildcards and changed update key name Signed-off-by: Joanne Wang <jowg@amazon.com> * integ test failing Signed-off-by: Joanne Wang <jowg@amazon.com> * fix job scheduler params Signed-off-by: Joanne Wang <jowg@amazon.com> * changed extension and has debug messages Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Joanne Wang <jowg@amazon.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * TIF Job Runner Cleanup (opensearch-project#676) * merge conflicts Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed java wildcards and changed update key name Signed-off-by: Joanne Wang <jowg@amazon.com> * integ test failing Signed-off-by: Joanne Wang <jowg@amazon.com> * fix job scheduler params Signed-off-by: Joanne Wang <jowg@amazon.com> * changed extension and has debug messages Signed-off-by: Joanne Wang <jowg@amazon.com> * clean up Signed-off-by: Joanne Wang <jowg@amazon.com> * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name Signed-off-by: Joanne Wang <jowg@amazon.com> * removed google commons unused import, updated interval setting, removed rest action Signed-off-by: Joanne Wang <jowg@amazon.com> * removed policy file and updated name for job scheduler Signed-off-by: Joanne Wang <jowg@amazon.com> * responded to comments about parameter validator and TIFMetadata Signed-off-by: Joanne Wang <jowg@amazon.com> * refactored ThreatIntelFeedDataService and changed variables to public static final where possible Signed-off-by: Joanne Wang <jowg@amazon.com> * changed opensearch-sap-threatintel to opensearch-sap-threat-intel Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com> * fix TIFJobParameter class Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * test detector updation when feed updation job runs Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * removed delete job scheduler code and cleaned up (opensearch-project#678) Signed-off-by: Joanne Wang <jowg@amazon.com> * working integ test (opensearch-project#680) Signed-off-by: Joanne Wang <jowg@amazon.com> * fix timeout of tif job creation Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * remove unncessary thread forking in put tif job action Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * refactoring code to address review comments Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * detector trigger detection types Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * pull out threat intel rest tests into separate test class Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add detection types testing in detector trigger for rules and threat intel detection scenarios Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add license header Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * add threat intel field aliases in mapping view response Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix threat intel feed parser Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * fix workflow failing test Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * spotless check failures fixed Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> * remove dockerfile (opensearch-project#689) Signed-off-by: Joanne Wang <jowg@amazon.com> --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Joanne Wang <jowg@amazon.com>
* add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * create doc level query from threat intel feed data index docs" * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * with listener and processor * removed actions * clean up * added parser * add unit tests * refactored class names * before moving db * after moving db * added actions to plugin and removed user schedule * unit tests * fix build error * changed transport naming --------- * converge job scheduler code with threat intel feed integration in detectors * converge job scheduler and detector threat intel code * add feed metadata config files in src and test * adds ioc fields list in log type config files and ioc fields object in LogType POJO * fix compilation issues in tests * test udpate detector disabling threat intel * add tests for detector creation and updation with threat intel * Threat intel test (#673) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * create doc level query from threat intel feed data index docs" * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * with listener and processor * removed actions * clean up * added parser * add unit tests * refactored class names * before moving db * after moving db * added actions to plugin and removed user schedule * unit tests * fix build error * changed transport naming --------- * converge job scheduler code with threat intel feed integration in detectors * refactored out unecessary * added headers and cleaned up * converge job scheduler and detector threat intel code * working on testing * fixed the parser and build.gradle * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * create doc level query from threat intel feed data index docs" * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * with listener and processor * removed actions * clean up * added parser * add unit tests * refactored class names * before moving db * after moving db * added actions to plugin and removed user schedule * unit tests * fix build error * changed transport naming --------- * converge job scheduler code with threat intel feed integration in detectors * converge job scheduler and detector threat intel code * add feed metadata config files in src and test * clean up some tests * fixed merge conflicts * adds ioc fields list in log type config files and ioc fields object in LogType POJO * update csv parser and new metadata field * fixed job scheduler interval settings * add tests for ioc to fields for each log type * removed wildcards --------- * fix threat intel integ tests and add update detector logic * JS for Threat intel feeds - changed extension (#675) * merge conflicts * fixed java wildcards and changed update key name * integ test failing * fix job scheduler params * changed extension and has debug messages * clean up * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name --------- * TIF Job Runner Cleanup (#676) * merge conflicts * fixed java wildcards and changed update key name * integ test failing * fix job scheduler params * changed extension and has debug messages * clean up * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name * removed google commons unused import, updated interval setting, removed rest action * removed policy file and updated name for job scheduler * responded to comments about parameter validator and TIFMetadata * refactored ThreatIntelFeedDataService and changed variables to public static final where possible * changed opensearch-sap-threatintel to opensearch-sap-threat-intel --------- * fix TIFJobParameter class * test detector updation when feed updation job runs * removed delete job scheduler code and cleaned up (#678) * working integ test (#680) * fix timeout of tif job creation * remove unncessary thread forking in put tif job action * refactoring code to address review comments * detector trigger detection types * pull out threat intel rest tests into separate test class * add detection types testing in detector trigger for rules and threat intel detection scenarios * add license header * add threat intel field aliases in mapping view response * fix threat intel feed parser * fix workflow failing test * spotless check failures fixed * remove dockerfile (#689) --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com>
* add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * create doc level query from threat intel feed data index docs" * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * with listener and processor * removed actions * clean up * added parser * add unit tests * refactored class names * before moving db * after moving db * added actions to plugin and removed user schedule * unit tests * fix build error * changed transport naming --------- * converge job scheduler code with threat intel feed integration in detectors * converge job scheduler and detector threat intel code * add feed metadata config files in src and test * adds ioc fields list in log type config files and ioc fields object in LogType POJO * fix compilation issues in tests * test udpate detector disabling threat intel * add tests for detector creation and updation with threat intel * Threat intel test (#673) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * create doc level query from threat intel feed data index docs" * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * with listener and processor * removed actions * clean up * added parser * add unit tests * refactored class names * before moving db * after moving db * added actions to plugin and removed user schedule * unit tests * fix build error * changed transport naming --------- * converge job scheduler code with threat intel feed integration in detectors * refactored out unecessary * added headers and cleaned up * converge job scheduler and detector threat intel code * working on testing * fixed the parser and build.gradle * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * create doc level query from threat intel feed data index docs" * handle threat intel enabled check during detector updation * add tests for testing threat intel feed integration with detectors * Threat intel feeds job runner and unit tests (#654) * fix doc level query constructor (#651) * add mapping for indices storing threat intel feed data * fix feed indices mapping * add threat intel feed data dao * add threatIntelEnabled field in detector. * add threat intel feed service and searching feeds * ti feed data to doc level query convertor logic added * plug threat intel feed into detector creation * Preliminary framework for jobscheduler and datasource (#626) * with listener and processor * removed actions * clean up * added parser * add unit tests * refactored class names * before moving db * after moving db * added actions to plugin and removed user schedule * unit tests * fix build error * changed transport naming --------- * converge job scheduler code with threat intel feed integration in detectors * converge job scheduler and detector threat intel code * add feed metadata config files in src and test * clean up some tests * fixed merge conflicts * adds ioc fields list in log type config files and ioc fields object in LogType POJO * update csv parser and new metadata field * fixed job scheduler interval settings * add tests for ioc to fields for each log type * removed wildcards --------- * fix threat intel integ tests and add update detector logic * JS for Threat intel feeds - changed extension (#675) * merge conflicts * fixed java wildcards and changed update key name * integ test failing * fix job scheduler params * changed extension and has debug messages * clean up * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name --------- * TIF Job Runner Cleanup (#676) * merge conflicts * fixed java wildcards and changed update key name * integ test failing * fix job scheduler params * changed extension and has debug messages * clean up * fixed job scheduler plugin spi jar resolution * cleaned up TODOs and changed job scheduler name * removed google commons unused import, updated interval setting, removed rest action * removed policy file and updated name for job scheduler * responded to comments about parameter validator and TIFMetadata * refactored ThreatIntelFeedDataService and changed variables to public static final where possible * changed opensearch-sap-threatintel to opensearch-sap-threat-intel --------- * fix TIFJobParameter class * test detector updation when feed updation job runs * removed delete job scheduler code and cleaned up (#678) * working integ test (#680) * fix timeout of tif job creation * remove unncessary thread forking in put tif job action * refactoring code to address review comments * detector trigger detection types * pull out threat intel rest tests into separate test class * add detection types testing in detector trigger for rules and threat intel detection scenarios * add license header * add threat intel field aliases in mapping view response * fix threat intel feed parser * fix workflow failing test * spotless check failures fixed * remove dockerfile (#689) --------- Signed-off-by: Surya Sashank Nistala <snistala@amazon.com> Signed-off-by: Joanne Wang <jowg@amazon.com> Signed-off-by: Joanne Wang <109310487+jowg-amazon@users.noreply.github.com> Co-authored-by: Surya Sashank Nistala <snistala@amazon.com>
…rces (opensearch-project#626) (opensearch-project#627) * in case of custom indices, allow moving alerts to history index Signed-off-by: Petar Dzepina <petar.dzepina@gmail.com> * empty commit Signed-off-by: Petar Dzepina <petar.dzepina@gmail.com> * added IT for custom datasources alert ack Signed-off-by: Petar Dzepina <petar.dzepina@gmail.com> Signed-off-by: Petar Dzepina <petar.dzepina@gmail.com> (cherry picked from commit 0740d9be59113a8e4c31a5370baabe9b31761f2c) Co-authored-by: Petar Dzepina <petar.dzepina@gmail.com>
Description
[Describe what this change achieves]
Issues Resolved
[List any issues this PR will resolve]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.