Examples with ThreatScore org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore used on opensource projects

Example 1 with ThreatScore

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore in project metron by apache.

the class ThreatTriageTest method testInvalidReason.

/**
 * If the 'reason' expression refers to a missing variable (the result
 * of a data quality issue) it should not throw an exception.
 */
@Test
public void testInvalidReason() throws Exception {
    Map<Object, Object> message = new HashMap<Object, Object>() {

        {
        // there is no 'variable.name' in the message
        }
    };
    ThreatScore score = getProcessor(testReasonConfig).apply(message);
    assertEquals(1, score.getRuleScores().size());
    for (RuleScore ruleScore : score.getRuleScores()) {
        // the 'reason' is the result of executing the rule's 'reason' expression
        assertEquals(null, ruleScore.getReason());
    }
}

Example 2 with ThreatScore

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore in project metron by apache.

the class ThreatTriageTest method testReason.

/**
 * The 'reason' field contained within a rule is a Stellar expression that is
 * executed within the context of the message that the rule is applied to.
 */
@Test
public void testReason() throws Exception {
    Map<Object, Object> message = new HashMap<Object, Object>() {

        {
            put("variable.name", "variable.value");
        }
    };
    ThreatScore score = getProcessor(testReasonConfig).apply(message);
    assertEquals(1, score.getRuleScores().size());
    for (RuleScore ruleScore : score.getRuleScores()) {
        // the 'reason' is the result of executing the rule's 'reason' expression
        assertEquals("variable.value", ruleScore.getReason());
    }
}

Example 3 with ThreatScore

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore in project metron by apache.

the class ThreatTriageTest method testThreatScoreWithNoRules.

/**
 * Each individual rule that was applied when scoring a threat should
 * be captured in the overall threat score.
 */
@Test
public void testThreatScoreWithNoRules() throws Exception {
    Map<Object, Object> message = new HashMap<Object, Object>() {

        {
            put("user.type", "foo");
            put("asset.type", "bar");
        }
    };
    ThreatScore score = getProcessor(smokeTestProcessorConfig).apply(message);
    // expect no rules to have been applied
    Assert.assertEquals(0, score.getRuleScores().size());
}

Example 4 with ThreatScore

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore in project metron by apache.

the class ThreatTriageTest method testThreatScoreWithOneRule.

/**
 * Each individual rule that was applied when scoring a threat should
 * be captured in the overall threat score.
 */
@Test
public void testThreatScoreWithOneRule() throws Exception {
    Map<Object, Object> message = new HashMap<Object, Object>() {

        {
            put("user.type", "abnormal");
            put("asset.type", "invalid");
        }
    };
    ThreatScore score = getProcessor(smokeTestProcessorConfig).apply(message);
    // expect rule 4 to have been applied
    List<String> expectedNames = ImmutableList.of("rule 4");
    Assert.assertEquals(1, score.getRuleScores().size());
    score.getRuleScores().forEach(ruleScore -> Assert.assertTrue(expectedNames.contains(ruleScore.getRule().getName())));
}

Example 5 with ThreatScore

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore in project metron by apache.

the class ThreatIntelUtils method triage.

public static JSONObject triage(JSONObject ret, SensorEnrichmentConfig config, FunctionResolver functionResolver, Context stellarContext) {
    LOG.trace("Received joined messages: {}", ret);
    boolean isAlert = ret.containsKey("is_alert");
    if (!isAlert) {
        for (Object key : ret.keySet()) {
            if (key.toString().startsWith("threatintels") && !key.toString().endsWith(".ts")) {
                isAlert = true;
                break;
            }
        }
    } else {
        Object isAlertObj = ret.get("is_alert");
        isAlert = ConversionUtils.convert(isAlertObj, Boolean.class);
        if (!isAlert) {
            ret.remove("is_alert");
        }
    }
    if (isAlert) {
        ret.put("is_alert", "true");
        String sourceType = MessageUtils.getSensorType(ret);
        ThreatTriageConfig triageConfig = null;
        if (config != null) {
            triageConfig = config.getThreatIntel().getTriageConfig();
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: Found sensor enrichment config.", sourceType);
            }
        } else {
            LOG.debug("{}: Unable to find threat config.", sourceType);
        }
        if (triageConfig != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: Found threat triage config: {}", sourceType, triageConfig);
            }
            if (LOG.isDebugEnabled() && (triageConfig.getRiskLevelRules() == null || triageConfig.getRiskLevelRules().isEmpty())) {
                LOG.debug("{}: Empty rules!", sourceType);
            }
            // triage the threat
            ThreatTriageProcessor threatTriageProcessor = new ThreatTriageProcessor(config, functionResolver, stellarContext);
            ThreatScore score = threatTriageProcessor.apply(ret);
            if (LOG.isDebugEnabled()) {
                String rules = Joiner.on('\n').join(triageConfig.getRiskLevelRules());
                LOG.debug("Marked {} as triage level {} with rules {}", sourceType, score.getScore(), rules);
            }
            // attach the triage threat score to the message
            if (score.getRuleScores().size() > 0) {
                appendThreatScore(score, ret);
            }
        } else {
            LOG.debug("{}: Unable to find threat triage config!", sourceType);
        }
    }
    return ret;
}