Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Log Type JSON format #465

Merged
merged 15 commits into from
Jul 5, 2023
Merged

New Log Type JSON format #465

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
0922913
initial commit
petardz Jun 19, 2023
55200c1
removed unused methods from LogTypeService
petardz Jun 20, 2023
3634dfe
import optimize
petardz Jun 20, 2023
488b2ad
javadoc fix
petardz Jun 20, 2023
8cffd44
test fix
petardz Jun 20, 2023
fd7201b
minor fix due to alerting changes
sbcd90 Jun 21, 2023
f7351d6
Merge pull request #3 from sbcd90/petar
petardz Jun 21, 2023
0ae5066
queryBackend tests fix
petardz Jun 21, 2023
f1cccb9
fix flaky tests
sbcd90 Jun 21, 2023
df30ccf
Merge pull request #5 from sbcd90/petar1
petardz Jun 21, 2023
f0b4bf2
addressing pr comments
petardz Jun 22, 2023
80b93b3
test fix
petardz Jun 22, 2023
aa37d1f
license fix
petardz Jun 22, 2023
b8e6334
small refactor
petardz Jun 23, 2023
2cfcb39
tests for QueryBackend with no mappings
petardz Jun 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion src/main/java/org/opensearch/securityanalytics/SecurityAnalyticsPlugin.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
import org.opensearch.securityanalytics.correlation.index.mapper.CorrelationVectorFieldMapper;
import org.opensearch.securityanalytics.correlation.index.query.CorrelationQueryBuilder;
import org.opensearch.securityanalytics.indexmanagment.DetectorIndexManagementService;
import org.opensearch.securityanalytics.logtype.LogTypeService;
import org.opensearch.securityanalytics.mapper.IndexTemplateManager;
import org.opensearch.securityanalytics.mapper.MapperService;
import org.opensearch.securityanalytics.resthandler.*;
Expand Down Expand Up @@ -90,6 +91,8 @@ public class SecurityAnalyticsPlugin extends Plugin implements ActionPlugin, Map

private IndexTemplateManager indexTemplateManager;

private LogTypeService logTypeService;

@Override
public Collection<Object> createComponents(Client client,
ClusterService clusterService,
Expand All @@ -102,12 +105,13 @@ public Collection<Object> createComponents(Client client,
NamedWriteableRegistry namedWriteableRegistry,
IndexNameExpressionResolver indexNameExpressionResolver,
Supplier<RepositoriesService> repositoriesServiceSupplier) {
logTypeService = new LogTypeService();
detectorIndices = new DetectorIndices(client.admin(), clusterService, threadPool);
ruleTopicIndices = new RuleTopicIndices(client, clusterService);
correlationIndices = new CorrelationIndices(client, clusterService);
indexTemplateManager = new IndexTemplateManager(client, clusterService, indexNameExpressionResolver, xContentRegistry);
mapperService = new MapperService(client, clusterService, indexNameExpressionResolver, indexTemplateManager);
ruleIndices = new RuleIndices(client, clusterService, threadPool);
ruleIndices = new RuleIndices(logTypeService, client, clusterService, threadPool);
correlationRuleIndices = new CorrelationRuleIndices(client, clusterService);

return List.of(detectorIndices, correlationIndices, correlationRuleIndices, ruleTopicIndices, ruleIndices, mapperService, indexTemplateManager);
Expand Down
109 changes: 109 additions & 0 deletions src/main/java/org/opensearch/securityanalytics/logtype/BuiltinLogTypeLoader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*/
package org.opensearch.securityanalytics.logtype;

import java.io.IOException;
import java.io.InputStream;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.common.settings.SettingsException;
import org.opensearch.common.xcontent.XContentHelper;
import org.opensearch.common.xcontent.json.JsonXContent;
import org.opensearch.securityanalytics.model.LogType;
import org.opensearch.securityanalytics.util.FileUtils;

public class BuiltinLogTypeLoader {

private static final Logger logger = LogManager.getLogger(BuiltinLogTypeLoader.class);

private static final String BASE_PATH = "OSMapping/";

private static final String LOG_TYPE_FILE_SUFFIX = "_logtype.json";

private static List<LogType> logTypes;
private static Map<String, LogType> logTypeMap;


static {
ensureLogTypesLoaded();
}

public static List<LogType> getAllLogTypes() {
ensureLogTypesLoaded();
return logTypes;
}

public static LogType getLogTypeByName(String logTypeName) {
ensureLogTypesLoaded();
return logTypeMap.get(logTypeName);
}

public static boolean logTypeExists(String logTypeName) {
ensureLogTypesLoaded();
return logTypeMap.containsKey(logTypeName);
}

private static void ensureLogTypesLoaded() {
try {
if (logTypes != null) {
return;
}
logTypes = loadBuiltinLogTypes();
logTypeMap = logTypes.stream()
.collect(Collectors.toMap(LogType::getName, Function.identity()));
} catch (Exception e) {
logger.error("Failed loading builtin log types from disk!", e);
}
}

private static List<LogType> loadBuiltinLogTypes() throws URISyntaxException, IOException {
List<LogType> logTypes = new ArrayList<>();

final String url = Objects.requireNonNull(BuiltinLogTypeLoader.class.getClassLoader().getResource(BASE_PATH)).toURI().toString();

Path dirPath = null;
if (url.contains("!")) {
final String[] paths = url.split("!");
dirPath = FileUtils.getFs().getPath(paths[1]);
} else {
dirPath = Path.of(url);
}

Stream<Path> folder = Files.list(dirPath);
List<Path> logTypePaths = folder.filter(e -> e.toString().endsWith(LOG_TYPE_FILE_SUFFIX)).collect(Collectors.toList());

for (Path logTypePath : logTypePaths) {
try (
InputStream is = BuiltinLogTypeLoader.class.getResourceAsStream(logTypePath.toString())
) {
String logTypeFilePayload = new String(Objects.requireNonNull(is).readAllBytes(), StandardCharsets.UTF_8);

if (logTypeFilePayload != null) {
Map<String, Object> logTypeFileAsMap =
XContentHelper.convertToMap(JsonXContent.jsonXContent, logTypeFilePayload, false);

logTypes.add(new LogType(logTypeFileAsMap));

logger.info("Loaded [{}] log type", logTypePath.getFileName());
}
} catch (Exception e) {
throw new SettingsException("Failed to load builtin log types", e);
}
}

return logTypes;
}
}
59 changes: 59 additions & 0 deletions src/main/java/org/opensearch/securityanalytics/logtype/LogTypeService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*/
package org.opensearch.securityanalytics.logtype;

import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.securityanalytics.model.LogType;
import org.opensearch.securityanalytics.util.SecurityAnalyticsException;


/**
*
* */
public class LogTypeService {

private static final Logger logger = LogManager.getLogger(LogTypeService.class);

private BuiltinLogTypeLoader builtinLogTypeLoader;

public LogTypeService() {
this.builtinLogTypeLoader = new BuiltinLogTypeLoader();
}


public List<LogType> getAllLogTypes() {
return BuiltinLogTypeLoader.getAllLogTypes();
}

public LogType getLogTypeByName(String logType) {
return BuiltinLogTypeLoader.getLogTypeByName(logType);
}

/**
* Returns sigmaRule rawField to ECS field mapping
*
* @param logType Log type
* @return Map of rawField to ecs field
*/
public Map<String, String> getRuleFieldMappings(String logType) {
LogType lt = getLogTypeByName(logType);

if (lt == null) {
throw SecurityAnalyticsException.wrap(new IllegalArgumentException("Can't get rule field mappings for invalid logType: [" + logType + "]"));
}
if (lt.getMappings() == null) {
return Map.of();
} else {
return lt.getMappings()
.stream()
.collect(Collectors.toMap(LogType.Mapping::getRawField, LogType.Mapping::getEcs));
}
}
}
137 changes: 137 additions & 0 deletions src/main/java/org/opensearch/securityanalytics/model/LogType.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*/
package org.opensearch.securityanalytics.model;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.opensearch.common.io.stream.StreamInput;
import org.opensearch.common.io.stream.StreamOutput;
import org.opensearch.common.io.stream.Writeable;
import org.opensearch.core.xcontent.ToXContentObject;
import org.opensearch.core.xcontent.XContentBuilder;

public class LogType implements Writeable {

private static final String ID = "id";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add unit tests for this class similar to https://github.com/opensearch-project/common-utils/blob/main/src/test/kotlin/org/opensearch/commons/alerting/model/FindingTests.kt & https://github.com/opensearch-project/common-utils/blob/main/src/test/kotlin/org/opensearch/commons/alerting/model/WriteableTests.kt

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

private static final String NAME = "name";
private static final String DESCRIPTION = "description";
private static final String IS_BUILTIN = "is_builtin";
private static final String MAPPINGS = "mappings";
private static final String RAW_FIELD = "raw_field";
private static final String ECS = "ecs";
private static final String OCSF = "ocsf";

private String id;
private String name;
private String description;
private Boolean isBuiltIn;
private List<Mapping> mappings;

public LogType(StreamInput sin) throws IOException {
this.id = sin.readString();
this.isBuiltIn = sin.readOptionalBoolean();
this.name = sin.readString();
this.description = sin.readString();
this.mappings = sin.readList(Mapping::readFrom);
}

public LogType(String id, String name, String description, boolean isBuiltIn, List<Mapping> mappings) {
this.id = id;
this.name = name;
this.description = description;
this.isBuiltIn = isBuiltIn;
this.mappings = mappings == null ? List.of() : mappings;
}

public LogType(Map<String, Object> logTypeAsMap) {
this.id = (String) logTypeAsMap.get(ID);
this.name = (String) logTypeAsMap.get(NAME);
this.description = (String) logTypeAsMap.get(DESCRIPTION);
if (logTypeAsMap.containsKey(IS_BUILTIN)) {
this.isBuiltIn = (Boolean) logTypeAsMap.get(IS_BUILTIN);
}
List<Map<String, String>> mappings = (List<Map<String, String>>)logTypeAsMap.get(MAPPINGS);
if (mappings.size() > 0) {
this.mappings = new ArrayList<>(mappings.size());
this.mappings = mappings.stream().map(e ->
new Mapping(e.get(RAW_FIELD), e.get(ECS), e.get(OCSF))
).collect(Collectors.toList());
}
}

public String getName() {
return name;
}

public String getDescription() {
return description;
}

public boolean getIsBuiltIn() { return isBuiltIn; }

public List<Mapping> getMappings() {
return mappings;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
out.writeString(id);
out.writeOptionalBoolean(isBuiltIn);
out.writeString(name);
out.writeString(description);
out.writeCollection(mappings);
}

@Override
public String toString() {
return name;
}

public static class Mapping implements Writeable {

private String rawField;
private String ecs;
private String ocsf;

public Mapping(StreamInput sin) throws IOException {
this.rawField = sin.readString();
this.ecs = sin.readOptionalString();
this.ocsf = sin.readOptionalString();
}

public Mapping(String rawField, String ecs, String ocsf) {
this.rawField = rawField;
this.ecs = ecs;
this.ocsf = ocsf;
}

public String getRawField() {
return rawField;
}

public String getEcs() {
return ecs;
}

public String getOcsf() {
return ocsf;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
out.writeString(rawField);
out.writeOptionalString(ecs);
out.writeOptionalString(ocsf);
}

public static Mapping readFrom(StreamInput sin) throws IOException {
return new Mapping(sin);
}
}

}
10 changes: 3 additions & 7 deletions src/main/java/org/opensearch/securityanalytics/rules/backend/OSQueryBackend.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,8 @@ public class OSQueryBackend extends QueryBackend {

private static final List<Class<?>> precedence = Arrays.asList(ConditionNOT.class, ConditionAND.class, ConditionOR.class);

public OSQueryBackend(String ruleCategory, boolean collectErrors, boolean enableFieldMappings) throws IOException {
super(ruleCategory, true, enableFieldMappings, true, collectErrors);
public OSQueryBackend(Map<String, String> fieldMappings, boolean collectErrors, boolean enableFieldMappings) throws IOException {
super(fieldMappings, true, enableFieldMappings, true, collectErrors);
this.tokenSeparator = " ";
this.orToken = "OR";
this.andToken = "AND";
Expand Down Expand Up @@ -445,11 +445,7 @@ private String getMappedField(String field) {
}

private String getFinalField(String field) {
field = this.getMappedField(field);
if (field.contains(".")) {
field = field.replace(".", "_");
}
return field;
return this.getMappedField(field);
}

private String getFinalValueField() {
Expand Down
12 changes: 2 additions & 10 deletions src/main/java/org/opensearch/securityanalytics/rules/backend/QueryBackend.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ public abstract class QueryBackend {
protected Map<String, Object> ruleQueryFields;

@SuppressWarnings("unchecked")
public QueryBackend(String ruleCategory, boolean convertAndAsIn, boolean enableFieldMappings, boolean convertOrAsIn, boolean collectErrors) throws IOException {
public QueryBackend(Map<String, String> fieldMappings, boolean convertAndAsIn, boolean enableFieldMappings, boolean convertOrAsIn, boolean collectErrors) {
this.convertAndAsIn = convertAndAsIn;
this.convertOrAsIn = convertOrAsIn;
this.collectErrors = collectErrors;
Expand All @@ -68,15 +68,7 @@ public QueryBackend(String ruleCategory, boolean convertAndAsIn, boolean enableF
this.queryFields = new HashMap<>();

if (this.enableFieldMappings) {
InputStream is = this.getClass().getClassLoader().getResourceAsStream(String.format(Locale.getDefault(), "OSMapping/%s/fieldmappings.yml", ruleCategory));
assert is != null;
String content = new String(is.readAllBytes(), Charset.defaultCharset());

Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
Map<String, Object> fieldMappingsObj = yaml.load(content);
this.fieldMappings = (Map<String, String>) fieldMappingsObj.get("fieldmappings");

is.close();
this.fieldMappings = fieldMappings;
} else {
this.fieldMappings = new HashMap<>();
}
Expand Down
Loading