Examples with RiskLevelRule org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule used on opensource projects

Search in sources :

Example 1 with RiskLevelRule

use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.

the class ThreatTriageFunctionsTest method testAddMultipleWithEngine.

@Test
public void testAddMultipleWithEngine() {
    // init the engine
    ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
    Map<String, Object> vars = new HashMap<>();
    vars.put("engine", engine);
    // add a new rule
    run("THREAT_TRIAGE_ADD(engine, { 'name':'rule1', 'rule':'value < 2', 'score':10 } )", vars);
    // add another rule
    run("THREAT_TRIAGE_ADD(engine, { 'name':'rule2', 'rule':'value < 4', 'score':10 } )", vars);
    List<RiskLevelRule> triageRules = engine.getRiskLevelRules();
    Assert.assertEquals(2, triageRules.size());
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) HashMap(java.util.HashMap) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Test(org.junit.Test)

Example 2 with RiskLevelRule

use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.

the class ThreatTriageFunctionsTest method testAddEmpty.

@Test
public void testAddEmpty() {
    String newConfig = (String) run("THREAT_TRIAGE_ADD(config, { 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 } )", toMap("config", configStr));
    List<RiskLevelRule> triageRules = getTriageRules(newConfig);
    Assert.assertEquals(1, triageRules.size());
    RiskLevelRule rule = triageRules.get(0);
    Assert.assertEquals(variables.get("less").getExpression().get(), rule.getRule());
    Assert.assertEquals(10.0, rule.getScore().doubleValue(), 1e-6);
}
Also used : RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Test(org.junit.Test)

Example 3 with RiskLevelRule

use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.

the class ThreatTriageFunctionsTest method testAddEmptyWithEngine.

@Test
public void testAddEmptyWithEngine() {
    // init the engine
    ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
    Map<String, Object> vars = new HashMap<>();
    vars.put("engine", engine);
    String newConfig = (String) run("THREAT_TRIAGE_ADD(engine, {'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 } )", vars);
    // validate the returned configuration
    List<RiskLevelRule> triageRules = getTriageRules(newConfig);
    Assert.assertEquals(1, triageRules.size());
    // validate that the engine was updated
    Assert.assertEquals(1, engine.getSensorConfig().getThreatIntel().getTriageConfig().getRiskLevelRules().size());
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) HashMap(java.util.HashMap) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Test(org.junit.Test)

Example 4 with RiskLevelRule

use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.

the class ThreatTriageFunctionsTest method testAddHasExisting.

@Test
public void testAddHasExisting() {
    String newConfig = (String) run("THREAT_TRIAGE_ADD(config, { 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10, 'reason' : '2 + 2' } )", toMap("config", configStr));
    newConfig = (String) run("THREAT_TRIAGE_ADD(config, { 'rule' : SHELL_GET_EXPRESSION('greater'), 'score' : 20 } )", toMap("config", newConfig));
    List<RiskLevelRule> triageRules = getTriageRules(newConfig);
    Assert.assertEquals(2, triageRules.size());
    RiskLevelRule less = triageRules.get(0);
    Assert.assertEquals(variables.get("less").getExpression().get(), less.getRule());
    Assert.assertEquals(10.0, less.getScore().doubleValue(), 1e-6);
    RiskLevelRule greater = triageRules.get(1);
    Assert.assertEquals(variables.get("greater").getExpression().get(), greater.getRule());
    Assert.assertEquals(20.0, greater.getScore().doubleValue(), 1e-6);
}
Also used : RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Test(org.junit.Test)

Example 5 with RiskLevelRule

use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.

the class ThreatTriageProcessor method apply.

@Nullable
@Override
public ThreatScore apply(@Nullable Map input) {
    ThreatScore threatScore = new ThreatScore();
    StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
    StellarProcessor processor = new StellarProcessor();
    VariableResolver resolver = new MapVariableResolver(input, sensorConfig.getConfiguration(), threatIntelConfig.getConfig());
    // attempt to apply each rule to the threat
    for (RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) {
        if (predicateProcessor.parse(rule.getRule(), resolver, functionResolver, context)) {
            // add the rule's score to the overall threat score
            String reason = execute(rule.getReason(), processor, resolver, String.class);
            RuleScore score = new RuleScore(rule, reason);
            threatScore.addRuleScore(score);
        }
    }
    // calculate the aggregate threat score
    Aggregators aggregators = threatTriageConfig.getAggregator();
    List<Number> allScores = threatScore.getRuleScores().stream().map(score -> score.getRule().getScore()).collect(Collectors.toList());
    Double aggregateScore = aggregators.aggregate(allScores, threatTriageConfig.getAggregationConfig());
    threatScore.setScore(aggregateScore);
    return threatScore;
}
Also used : StellarProcessor(org.apache.metron.stellar.common.StellarProcessor) ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore) FunctionResolver(org.apache.metron.stellar.dsl.functions.resolver.FunctionResolver) VariableResolver(org.apache.metron.stellar.dsl.VariableResolver) Function(com.google.common.base.Function) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) StellarProcessor(org.apache.metron.stellar.common.StellarProcessor) Collectors(java.util.stream.Collectors) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig) List(java.util.List) ThreatIntelConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig) RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore) Map(java.util.Map) Aggregators(org.apache.metron.common.aggregator.Aggregators) ThreatTriageConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig) ConversionUtils(org.apache.metron.stellar.common.utils.ConversionUtils) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor) Nullable(javax.annotation.Nullable) Context(org.apache.metron.stellar.dsl.Context) ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Aggregators(org.apache.metron.common.aggregator.Aggregators) RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore) VariableResolver(org.apache.metron.stellar.dsl.VariableResolver) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor) Nullable(javax.annotation.Nullable)

Aggregations

RiskLevelRule (org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)9 Test (org.junit.Test)8 HashMap (java.util.HashMap)3 ThreatTriageProcessor (org.apache.metron.threatintel.triage.ThreatTriageProcessor)3 Function (com.google.common.base.Function)1 List (java.util.List)1 Map (java.util.Map)1 Collectors (java.util.stream.Collectors)1 Nullable (javax.annotation.Nullable)1 Aggregators (org.apache.metron.common.aggregator.Aggregators)1 SensorEnrichmentConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)1 RuleScore (org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)1 ThreatIntelConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig)1 ThreatScore (org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)1 ThreatTriageConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig)1 StellarPredicateProcessor (org.apache.metron.stellar.common.StellarPredicateProcessor)1 StellarProcessor (org.apache.metron.stellar.common.StellarProcessor)1 ConversionUtils (org.apache.metron.stellar.common.utils.ConversionUtils)1 Context (org.apache.metron.stellar.dsl.Context)1 MapVariableResolver (org.apache.metron.stellar.dsl.MapVariableResolver)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial