use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.
the class ThreatIntelJoinBoltTest method test.
public void test(String threatTriageConfig, boolean badConfig) throws IOException {
ThreatIntelJoinBolt threatIntelJoinBolt = new ThreatIntelJoinBolt("zookeeperUrl");
threatIntelJoinBolt.setCuratorFramework(client);
threatIntelJoinBolt.setZKCache(cache);
SensorEnrichmentConfig enrichmentConfig = JSONUtils.INSTANCE.load(new FileInputStream(sampleSensorEnrichmentConfigPath), SensorEnrichmentConfig.class);
boolean withThreatTriage = threatTriageConfig != null;
if (withThreatTriage) {
try {
enrichmentConfig.getThreatIntel().setTriageConfig(JSONUtils.INSTANCE.load(threatTriageConfig, ThreatTriageConfig.class));
if (badConfig) {
Assert.fail(threatTriageConfig + "\nThis should not parse!");
}
} catch (JsonMappingException pe) {
if (!badConfig) {
throw pe;
}
}
}
threatIntelJoinBolt.getConfigurations().updateSensorEnrichmentConfig(sensorType, enrichmentConfig);
HashMap<String, Object> globalConfig = new HashMap<>();
String baseDir = UnitTestHelper.findDir("GeoLite");
File geoHdfsFile = new File(new File(baseDir), "GeoIP2-City-Test.mmdb.gz");
globalConfig.put(GeoLiteDatabase.GEO_HDFS_FILE, geoHdfsFile.getAbsolutePath());
threatIntelJoinBolt.getConfigurations().updateGlobalConfig(globalConfig);
threatIntelJoinBolt.withMaxCacheSize(100);
threatIntelJoinBolt.withMaxTimeRetain(10000);
threatIntelJoinBolt.prepare(new HashMap<>(), topologyContext, outputCollector);
Map<String, Object> fieldMap = threatIntelJoinBolt.getFieldMap("incorrectSourceType");
Assert.assertNull(fieldMap);
fieldMap = threatIntelJoinBolt.getFieldMap(sensorType);
Assert.assertTrue(fieldMap.containsKey("hbaseThreatIntel"));
MessageGetStrategy messageGetStrategy = mock(MessageGetStrategy.class);
Tuple messageTuple = mock(Tuple.class);
when(messageGetStrategy.get(messageTuple)).thenReturn(message);
Map<String, Tuple> streamMessageMap = new HashMap<>();
streamMessageMap.put("message", messageTuple);
JSONObject joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
assertFalse(joinedMessage.containsKey("is_alert"));
when(messageGetStrategy.get(messageTuple)).thenReturn(messageWithTiming);
joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
assertFalse(joinedMessage.containsKey("is_alert"));
when(messageGetStrategy.get(messageTuple)).thenReturn(alertMessage);
joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
assertTrue(joinedMessage.containsKey("is_alert") && "true".equals(joinedMessage.get("is_alert")));
if (withThreatTriage && !badConfig) {
assertTrue(joinedMessage.containsKey("threat.triage.score"));
Double score = (Double) joinedMessage.get("threat.triage.score");
assertTrue(Math.abs(10d - score) < 1e-10);
} else {
assertFalse(joinedMessage.containsKey("threat.triage.score"));
}
}
use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.
the class ParallelEnricherTest method testBadConfigWrongEnrichmentType.
@Test
public void testBadConfigWrongEnrichmentType() throws Exception {
SensorEnrichmentConfig config = JSONUtils.INSTANCE.load(badConfigWrongEnrichmentType, SensorEnrichmentConfig.class);
config.getConfiguration().putIfAbsent("stellarContext", stellarContext);
JSONObject message = new JSONObject() {
{
put(Constants.SENSOR_TYPE, "test");
}
};
try {
enricher.apply(message, EnrichmentStrategies.ENRICHMENT, config, null);
Assert.fail("This is an invalid config, we should have failed.");
} catch (IllegalStateException ise) {
Assert.assertEquals(ise.getMessage(), "Unable to find an adapter for hbaseThreatIntel, possible adapters are: " + Joiner.on(",").join(enrichmentsByType.keySet()));
}
}
use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.
the class ThreatTriageFunctions method getSensorEnrichmentConfig.
/**
* Retrieves the sensor enrichment configuration from the function arguments. The manner
* of retrieving the configuration can differ based on what the user passes in.
* @param args The function arguments.
* @param position The position from which the configuration will be extracted.
* @return The sensor enrichment configuration.
*/
private static SensorEnrichmentConfig getSensorEnrichmentConfig(List<Object> args, int position) {
Object arg0 = Util.getArg(position, Object.class, args);
SensorEnrichmentConfig config = new SensorEnrichmentConfig();
if (arg0 instanceof String) {
// deserialize the configuration from json
String json = Util.getArg(0, String.class, args);
if (json != null) {
config = (SensorEnrichmentConfig) ENRICHMENT.deserialize(json);
}
} else if (arg0 instanceof ThreatTriageProcessor) {
// extract the configuration from the engine
ThreatTriageProcessor engine = Util.getArg(0, ThreatTriageProcessor.class, args);
config = engine.getSensorConfig();
} else {
// unexpected type
throw new IllegalArgumentException(String.format("Unexpected type: got '%s'", ClassUtils.getShortClassName(arg0, "null")));
}
return config;
}
use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.
the class ThreatTriageFunctionsTest method testSetAggregationWithEngine.
@Test
public void testSetAggregationWithEngine() {
// init the engine
ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
Map<String, Object> vars = new HashMap<>();
vars.put("engine", engine);
// set the aggregator
String newConfig = (String) run("THREAT_TRIAGE_SET_AGGREGATOR(engine, 'MIN')", vars);
// validate the return configuration
SensorEnrichmentConfig sensorConfig = (SensorEnrichmentConfig) ENRICHMENT.deserialize(newConfig);
Assert.assertEquals("MIN", sensorConfig.getThreatIntel().getTriageConfig().getAggregator().toString());
// validate that the engine was updated
Assert.assertEquals("MIN", engine.getSensorConfig().getThreatIntel().getTriageConfig().getAggregator().toString());
}
use of org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig in project metron by apache.
the class ThreatTriageFunctionsTest method testSetAggregation.
@Test
public void testSetAggregation() {
String newConfig = (String) run("THREAT_TRIAGE_SET_AGGREGATOR(config, 'MIN' )", toMap("config", configStr));
SensorEnrichmentConfig sensorConfig = (SensorEnrichmentConfig) ENRICHMENT.deserialize(newConfig);
Assert.assertEquals("MIN", sensorConfig.getThreatIntel().getTriageConfig().getAggregator().toString());
}
Aggregations