Example 1 with RuleScore
use of org.apache.metron.common.configuration.enrichment.threatintel.RuleScore in project metron by apache.
the class ThreatIntelUtils method appendThreatScore.
/**
* Appends the threat score to the telemetry message.
* @param threatScore The threat triage score
* @param message The telemetry message being triaged.
*/
private static void appendThreatScore(ThreatScore threatScore, JSONObject message) {
// append the overall threat score
message.put(THREAT_TRIAGE_SCORE_KEY, threatScore.getScore());
// append each of the rules - each rule is 'flat'
Joiner joiner = Joiner.on(".");
int i = 0;
for (RuleScore score : threatScore.getRuleScores()) {
message.put(joiner.join(THREAT_TRIAGE_RULES_KEY, i, THREAT_TRIAGE_RULE_NAME), score.getRule().getName());
message.put(joiner.join(THREAT_TRIAGE_RULES_KEY, i, THREAT_TRIAGE_RULE_COMMENT), score.getRule().getComment());
message.put(joiner.join(THREAT_TRIAGE_RULES_KEY, i, THREAT_TRIAGE_RULE_SCORE), score.getRule().getScore());
message.put(joiner.join(THREAT_TRIAGE_RULES_KEY, i++, THREAT_TRIAGE_RULE_REASON), score.getReason());
}
}Example 2 with RuleScore
use of org.apache.metron.common.configuration.enrichment.threatintel.RuleScore in project metron by apache.
the class ThreatTriageTest method testInvalidReason.
/**
* If the 'reason' expression refers to a missing variable (the result
* of a data quality issue) it should not throw an exception.
*/
@Test
public void testInvalidReason() throws Exception {
Map<Object, Object> message = new HashMap<Object, Object>() {
{
// there is no 'variable.name' in the message
}
};
ThreatScore score = getProcessor(testReasonConfig).apply(message);
assertEquals(1, score.getRuleScores().size());
for (RuleScore ruleScore : score.getRuleScores()) {
// the 'reason' is the result of executing the rule's 'reason' expression
assertEquals(null, ruleScore.getReason());
}
}
Also used :
HashMap(java.util.HashMap)
ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)
RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)
Test(org.junit.Test)
Example 3 with RuleScore
use of org.apache.metron.common.configuration.enrichment.threatintel.RuleScore in project metron by apache.
the class ThreatTriageTest method testReason.
/**
* The 'reason' field contained within a rule is a Stellar expression that is
* executed within the context of the message that the rule is applied to.
*/
@Test
public void testReason() throws Exception {
Map<Object, Object> message = new HashMap<Object, Object>() {
{
put("variable.name", "variable.value");
}
};
ThreatScore score = getProcessor(testReasonConfig).apply(message);
assertEquals(1, score.getRuleScores().size());
for (RuleScore ruleScore : score.getRuleScores()) {
// the 'reason' is the result of executing the rule's 'reason' expression
assertEquals("variable.value", ruleScore.getReason());
}
}
Also used :
HashMap(java.util.HashMap)
ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)
RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)
Test(org.junit.Test)
Example 4 with RuleScore
use of org.apache.metron.common.configuration.enrichment.threatintel.RuleScore in project metron by apache.
the class ThreatTriageProcessor method apply.
@Nullable
@Override
public ThreatScore apply(@Nullable Map input) {
ThreatScore threatScore = new ThreatScore();
StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
StellarProcessor processor = new StellarProcessor();
VariableResolver resolver = new MapVariableResolver(input, sensorConfig.getConfiguration(), threatIntelConfig.getConfig());
// attempt to apply each rule to the threat
for (RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) {
if (predicateProcessor.parse(rule.getRule(), resolver, functionResolver, context)) {
// add the rule's score to the overall threat score
String reason = execute(rule.getReason(), processor, resolver, String.class);
RuleScore score = new RuleScore(rule, reason);
threatScore.addRuleScore(score);
}
}
// calculate the aggregate threat score
Aggregators aggregators = threatTriageConfig.getAggregator();
List<Number> allScores = threatScore.getRuleScores().stream().map(score -> score.getRule().getScore()).collect(Collectors.toList());
Double aggregateScore = aggregators.aggregate(allScores, threatTriageConfig.getAggregationConfig());
threatScore.setScore(aggregateScore);
return threatScore;
}
Also used :
StellarProcessor(org.apache.metron.stellar.common.StellarProcessor)
ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)
FunctionResolver(org.apache.metron.stellar.dsl.functions.resolver.FunctionResolver)
VariableResolver(org.apache.metron.stellar.dsl.VariableResolver)
Function(com.google.common.base.Function)
RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)
StellarProcessor(org.apache.metron.stellar.common.StellarProcessor)
Collectors(java.util.stream.Collectors)
SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)
List(java.util.List)
ThreatIntelConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig)
RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)
Map(java.util.Map)
Aggregators(org.apache.metron.common.aggregator.Aggregators)
ThreatTriageConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig)
ConversionUtils(org.apache.metron.stellar.common.utils.ConversionUtils)
MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver)
StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor)
Nullable(javax.annotation.Nullable)
Context(org.apache.metron.stellar.dsl.Context)
ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)
MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver)
RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)
Aggregators(org.apache.metron.common.aggregator.Aggregators)
RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)
VariableResolver(org.apache.metron.stellar.dsl.VariableResolver)
MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver)
StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor)
Nullable(javax.annotation.Nullable)
Aggregations
RuleScore (org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)4
ThreatScore (org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)3
HashMap (java.util.HashMap)2
Test (org.junit.Test)2
Function (com.google.common.base.Function)1
Joiner (com.google.common.base.Joiner)1
List (java.util.List)1
Map (java.util.Map)1
Collectors (java.util.stream.Collectors)1
Nullable (javax.annotation.Nullable)1
Aggregators (org.apache.metron.common.aggregator.Aggregators)1
SensorEnrichmentConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)1
RiskLevelRule (org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)1
ThreatIntelConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig)1
ThreatTriageConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig)1
StellarPredicateProcessor (org.apache.metron.stellar.common.StellarPredicateProcessor)1
StellarProcessor (org.apache.metron.stellar.common.StellarProcessor)1
ConversionUtils (org.apache.metron.stellar.common.utils.ConversionUtils)1
Context (org.apache.metron.stellar.dsl.Context)1
MapVariableResolver (org.apache.metron.stellar.dsl.MapVariableResolver)1
