Skip to content

Commit

Permalink
Merge pull request #2 from eirsep/2.13-threat-intel
Browse files Browse the repository at this point in the history
fix update threat intel monitor to avoid monitor exists check before …
  • Loading branch information
AWSHurneyt authored Jun 28, 2024
2 parents 7b968c4 + 5283ae6 commit 41873a9
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,12 @@ protected void doExecute(Task task, IndexThreatIntelMonitorRequest request, Acti
listener.onFailure(SecurityAnalyticsException.wrap(new OpenSearchStatusException(validateBackendRoleMessage, RestStatus.FORBIDDEN)));
return;
}
//fetch monitors and search
if(request.getMethod().equals(RestRequest.Method.PUT)) {
indexMonitor(request, listener, user);
return;
}

//fetch monitors and search to ensure only one threat intel monitor can be created
SearchRequest threatIntelMonitorsSearchRequest = new SearchRequest();
threatIntelMonitorsSearchRequest.indices(".opendistro-alerting-config");
BoolQueryBuilder boolQueryBuilder = QueryBuilders.boolQuery();
Expand All @@ -118,15 +123,15 @@ protected void doExecute(Task task, IndexThreatIntelMonitorRequest request, Acti
List<String> monitorIds = searchResponse.getHits() == null || searchResponse.getHits().getHits() == null ? new ArrayList<>() :
Arrays.stream(searchResponse.getHits().getHits()).map(SearchHit::getId).collect(Collectors.toList());
if (monitorIds.isEmpty()) {
createMonitor(request, listener, user);
indexMonitor(request, listener, user);
} else
listener.onFailure(new ResourceAlreadyExistsException(String.format("Threat intel monitor %s already exists.", monitorIds.get(0))));
},

e -> {
if (e instanceof IndexNotFoundException || e.getMessage().contains("Configured indices are not found")) {
try {
createMonitor(request, listener, user);
indexMonitor(request, listener, user);
return;
} catch (IOException ex) {
log.error(() -> new ParameterizedMessage("Unexpected failure while indexing threat intel monitor {} named {}", request.getId(), request.getMonitor().getName()));
Expand All @@ -145,7 +150,7 @@ protected void doExecute(Task task, IndexThreatIntelMonitorRequest request, Acti
}
}

private void createMonitor(IndexThreatIntelMonitorRequest request, ActionListener<IndexThreatIntelMonitorResponse> listener, User user) throws IOException {
private void indexMonitor(IndexThreatIntelMonitorRequest request, ActionListener<IndexThreatIntelMonitorResponse> listener, User user) throws IOException {
IndexMonitorRequest indexMonitorRequest = buildIndexMonitorRequest(request);
AlertingPluginInterface.INSTANCE.indexMonitor((NodeClient) client, indexMonitorRequest, namedWriteableRegistry, ActionListener.wrap(
r -> {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,14 @@
import org.opensearch.common.xcontent.XContentFactory;
import org.opensearch.commons.alerting.model.IntervalSchedule;
import org.opensearch.commons.alerting.model.Monitor;
import org.opensearch.commons.alerting.model.Schedule;
import org.opensearch.core.xcontent.ToXContent;
import org.opensearch.search.SearchHit;
import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
import org.opensearch.securityanalytics.SecurityAnalyticsRestTestCase;
import org.opensearch.securityanalytics.commons.model.IOCType;
import org.opensearch.securityanalytics.model.STIX2IOC;
import org.opensearch.securityanalytics.model.threatintel.ThreatIntelAlert;
import org.opensearch.securityanalytics.threatIntel.common.RefreshType;
import org.opensearch.securityanalytics.threatIntel.common.SourceConfigType;
import org.opensearch.securityanalytics.threatIntel.common.TIFJobState;
Expand Down Expand Up @@ -186,6 +188,24 @@ public void testCreateThreatIntelMonitor() throws IOException {
Response getAlertsResponse = makeRequest(client(), "GET", SecurityAnalyticsPlugin.THREAT_INTEL_ALERTS_URI, params, null);
Map<String, Object> getAlertsBody = asMap(getAlertsResponse);
Assert.assertEquals(4, getAlertsBody.get("total_alerts"));


ThreatIntelMonitorDto updateMonitorDto = new ThreatIntelMonitorDto(
monitorId,
iocScanMonitor.getName() + "update",
iocScanMonitor.getPerIocTypeScanInputList(),
new IntervalSchedule(5, ChronoUnit.MINUTES, Instant.now()),
false,
null,
List.of(iocScanMonitor.getTriggers().get(0), iocScanMonitor.getTriggers().get(1))
);
//update monitor
response = makeRequest(client(), "PUT", SecurityAnalyticsPlugin.THREAT_INTEL_MONITOR_URI + "/" + monitorId, Collections.emptyMap(), toHttpEntity(updateMonitorDto));
Assert.assertEquals(200, response.getStatusLine().getStatusCode());
responseBody = asMap(response);
assertEquals(responseBody.get("id").toString(), monitorId);
assertEquals(((HashMap<String, Object>) responseBody.get("monitor")).get("name").toString(), iocScanMonitor.getName() + "update");

//delete
Response delete = makeRequest(client(), "DELETE", SecurityAnalyticsPlugin.THREAT_INTEL_MONITOR_URI + "/" + monitorId, Collections.emptyMap(), null);
Assert.assertEquals(200, delete.getStatusLine().getStatusCode());
Expand Down

0 comments on commit 41873a9

Please sign in to comment.