Example 6 with RiskLevelRule
use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.
the class ThreatTriageFunctionsTest method testAddDuplicate.
@Test
public void testAddDuplicate() {
String newConfig = (String) run("THREAT_TRIAGE_ADD(config, { 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 } )", toMap("config", configStr));
newConfig = (String) run("THREAT_TRIAGE_ADD(config, { 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 } )", toMap("config", newConfig));
List<RiskLevelRule> triageRules = getTriageRules(newConfig);
Assert.assertEquals(1, triageRules.size());
RiskLevelRule rule = triageRules.get(0);
Assert.assertEquals(variables.get("less").getExpression().get(), rule.getRule());
Assert.assertEquals(10.0, rule.getScore().doubleValue(), 1e-6);
}
Also used :
RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)
Test(org.junit.Test)
Example 7 with RiskLevelRule
use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.
the class ThreatTriageFunctionsTest method testRemoveMissing.
@Test
public void testRemoveMissing() {
String newConfig = (String) run("THREAT_TRIAGE_ADD(config, [ { 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 }, { 'rule' : SHELL_GET_EXPRESSION('greater'), 'score' : 20 } ] )", toMap("config", configStr));
newConfig = (String) run("THREAT_TRIAGE_REMOVE(config, [ SHELL_GET_EXPRESSION('foo'), SHELL_GET_EXPRESSION('bar')] )", toMap("config", newConfig));
List<RiskLevelRule> triageRules = getTriageRules(newConfig);
Assert.assertEquals(2, triageRules.size());
RiskLevelRule less = triageRules.get(0);
Assert.assertEquals(variables.get("less").getExpression().get(), less.getRule());
Assert.assertEquals(10.0, less.getScore().doubleValue(), 1e-6);
RiskLevelRule greater = triageRules.get(1);
Assert.assertEquals(variables.get("greater").getExpression().get(), greater.getRule());
Assert.assertEquals(20.0, greater.getScore().doubleValue(), 1e-6);
}
Also used :
RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)
Test(org.junit.Test)
Example 8 with RiskLevelRule
use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.
the class ThreatTriageFunctionsTest method testRemove.
@Test
public void testRemove() {
String newConfig = (String) run("THREAT_TRIAGE_ADD(config, [ { 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 }, { 'rule' : SHELL_GET_EXPRESSION('greater'), 'score' : 20 } ] )", toMap("config", configStr));
newConfig = (String) run("THREAT_TRIAGE_REMOVE(config, [ SHELL_GET_EXPRESSION('greater')] )", toMap("config", newConfig));
List<RiskLevelRule> triageRules = getTriageRules(newConfig);
Assert.assertEquals(1, triageRules.size());
RiskLevelRule rule = triageRules.get(0);
Assert.assertEquals(variables.get("less").getExpression().get(), rule.getRule());
Assert.assertEquals(10.0, rule.getScore().doubleValue(), 1e-6);
}
Also used :
RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)
Test(org.junit.Test)
Example 9 with RiskLevelRule
use of org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule in project metron by apache.
the class ThreatTriageFunctionsTest method testRemoveWithEngine.
@Test
public void testRemoveWithEngine() {
// init the engine
ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
// set the aggregator
Map<String, Object> vars = new HashMap<>();
vars.put("engine", engine);
// add 2 rules
String newConfig = (String) run("THREAT_TRIAGE_ADD(engine, [" + "{ 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 }, " + "{ 'rule' : SHELL_GET_EXPRESSION('greater'), 'score' : 20 } ] )", vars);
// remove 1 rule
newConfig = (String) run("THREAT_TRIAGE_REMOVE(engine, [ " + "SHELL_GET_EXPRESSION('greater')] )", vars);
List<RiskLevelRule> triageRules = engine.getRiskLevelRules();
Assert.assertEquals(1, triageRules.size());
RiskLevelRule rule = triageRules.get(0);
Assert.assertEquals(variables.get("less").getExpression().get(), rule.getRule());
Assert.assertEquals(10.0, rule.getScore().doubleValue(), 1e-6);
}
Also used :
ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor)
HashMap(java.util.HashMap)
RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)
Test(org.junit.Test)
Aggregations
RiskLevelRule (org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)9
Test (org.junit.Test)8
HashMap (java.util.HashMap)3
ThreatTriageProcessor (org.apache.metron.threatintel.triage.ThreatTriageProcessor)3
Function (com.google.common.base.Function)1
List (java.util.List)1
Map (java.util.Map)1
Collectors (java.util.stream.Collectors)1
Nullable (javax.annotation.Nullable)1
Aggregators (org.apache.metron.common.aggregator.Aggregators)1
SensorEnrichmentConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)1
RuleScore (org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)1
ThreatIntelConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig)1
ThreatScore (org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)1
ThreatTriageConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig)1
StellarPredicateProcessor (org.apache.metron.stellar.common.StellarPredicateProcessor)1
StellarProcessor (org.apache.metron.stellar.common.StellarProcessor)1
ConversionUtils (org.apache.metron.stellar.common.utils.ConversionUtils)1
Context (org.apache.metron.stellar.dsl.Context)1
MapVariableResolver (org.apache.metron.stellar.dsl.MapVariableResolver)1
