Examples with ThreatScore - org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore

Example 6 with ThreatScore

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore in project metron by apache.

the class ThreatTriageProcessor method apply.

@Nullable
@Override
public ThreatScore apply(@Nullable Map input) {
    ThreatScore threatScore = new ThreatScore();
    StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
    StellarProcessor processor = new StellarProcessor();
    VariableResolver resolver = new MapVariableResolver(input, sensorConfig.getConfiguration(), threatIntelConfig.getConfig());
    // attempt to apply each rule to the threat
    for (RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) {
        if (predicateProcessor.parse(rule.getRule(), resolver, functionResolver, context)) {
            // add the rule's score to the overall threat score
            String reason = execute(rule.getReason(), processor, resolver, String.class);
            RuleScore score = new RuleScore(rule, reason);
            threatScore.addRuleScore(score);
        }
    }
    // calculate the aggregate threat score
    Aggregators aggregators = threatTriageConfig.getAggregator();
    List<Number> allScores = threatScore.getRuleScores().stream().map(score -> score.getRule().getScore()).collect(Collectors.toList());
    Double aggregateScore = aggregators.aggregate(allScores, threatTriageConfig.getAggregationConfig());
    threatScore.setScore(aggregateScore);
    return threatScore;
}

Also used : StellarProcessor(org.apache.metron.stellar.common.StellarProcessor) ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore) FunctionResolver(org.apache.metron.stellar.dsl.functions.resolver.FunctionResolver) VariableResolver(org.apache.metron.stellar.dsl.VariableResolver) Function(com.google.common.base.Function) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) StellarProcessor(org.apache.metron.stellar.common.StellarProcessor) Collectors(java.util.stream.Collectors) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig) List(java.util.List) ThreatIntelConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig) RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore) Map(java.util.Map) Aggregators(org.apache.metron.common.aggregator.Aggregators) ThreatTriageConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig) ConversionUtils(org.apache.metron.stellar.common.utils.ConversionUtils) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor) Nullable(javax.annotation.Nullable) Context(org.apache.metron.stellar.dsl.Context) ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Aggregators(org.apache.metron.common.aggregator.Aggregators) RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore) VariableResolver(org.apache.metron.stellar.dsl.VariableResolver) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor) Nullable(javax.annotation.Nullable)

Example 7 with ThreatScore

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore in project metron by apache.

the class ThreatTriageTest method testThreatScoreWithMultipleRules.

/**
 * Each individual rule that was applied when scoring a threat should
 * be captured in the overall threat score.
 */
@Test
public void testThreatScoreWithMultipleRules() throws Exception {
    Map<Object, Object> message = new HashMap<Object, Object>() {

        {
            put("user.type", "admin");
            put("asset.type", "web");
        }
    };
    ThreatScore score = getProcessor(smokeTestProcessorConfig).apply(message);
    // expect rules 1 and 2 to have been applied
    List<String> expectedNames = ImmutableList.of("rule 1", "rule 2");
    Assert.assertEquals(2, score.getRuleScores().size());
    score.getRuleScores().forEach(ruleScore -> Assert.assertTrue(expectedNames.contains(ruleScore.getRule().getName())));
}

Also used : HashMap(java.util.HashMap) ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore) Test(org.junit.Test)

Aggregations

ThreatScore (org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)7 HashMap (java.util.HashMap)5 Test (org.junit.Test)5 RuleScore (org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)3 ThreatTriageConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig)2 Function (com.google.common.base.Function)1 List (java.util.List)1 Map (java.util.Map)1 Collectors (java.util.stream.Collectors)1 Nullable (javax.annotation.Nullable)1 Aggregators (org.apache.metron.common.aggregator.Aggregators)1 SensorEnrichmentConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)1 RiskLevelRule (org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)1 ThreatIntelConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig)1 StellarPredicateProcessor (org.apache.metron.stellar.common.StellarPredicateProcessor)1 StellarProcessor (org.apache.metron.stellar.common.StellarProcessor)1 ConversionUtils (org.apache.metron.stellar.common.utils.ConversionUtils)1 Context (org.apache.metron.stellar.dsl.Context)1 MapVariableResolver (org.apache.metron.stellar.dsl.MapVariableResolver)1 VariableResolver (org.apache.metron.stellar.dsl.VariableResolver)1