Examples with ThreatTriageConfig org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig used on opensource projects

Example 1 with ThreatTriageConfig

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig in project metron by apache.

the class ThreatIntelJoinBoltTest method test.

public void test(String threatTriageConfig, boolean badConfig) throws IOException {
    ThreatIntelJoinBolt threatIntelJoinBolt = new ThreatIntelJoinBolt("zookeeperUrl");
    threatIntelJoinBolt.setCuratorFramework(client);
    threatIntelJoinBolt.setZKCache(cache);
    SensorEnrichmentConfig enrichmentConfig = JSONUtils.INSTANCE.load(new FileInputStream(sampleSensorEnrichmentConfigPath), SensorEnrichmentConfig.class);
    boolean withThreatTriage = threatTriageConfig != null;
    if (withThreatTriage) {
        try {
            enrichmentConfig.getThreatIntel().setTriageConfig(JSONUtils.INSTANCE.load(threatTriageConfig, ThreatTriageConfig.class));
            if (badConfig) {
                Assert.fail(threatTriageConfig + "\nThis should not parse!");
            }
        } catch (JsonMappingException pe) {
            if (!badConfig) {
                throw pe;
            }
        }
    }
    threatIntelJoinBolt.getConfigurations().updateSensorEnrichmentConfig(sensorType, enrichmentConfig);
    HashMap<String, Object> globalConfig = new HashMap<>();
    String baseDir = UnitTestHelper.findDir("GeoLite");
    File geoHdfsFile = new File(new File(baseDir), "GeoIP2-City-Test.mmdb.gz");
    globalConfig.put(GeoLiteDatabase.GEO_HDFS_FILE, geoHdfsFile.getAbsolutePath());
    threatIntelJoinBolt.getConfigurations().updateGlobalConfig(globalConfig);
    threatIntelJoinBolt.withMaxCacheSize(100);
    threatIntelJoinBolt.withMaxTimeRetain(10000);
    threatIntelJoinBolt.prepare(new HashMap<>(), topologyContext, outputCollector);
    Map<String, Object> fieldMap = threatIntelJoinBolt.getFieldMap("incorrectSourceType");
    Assert.assertNull(fieldMap);
    fieldMap = threatIntelJoinBolt.getFieldMap(sensorType);
    Assert.assertTrue(fieldMap.containsKey("hbaseThreatIntel"));
    MessageGetStrategy messageGetStrategy = mock(MessageGetStrategy.class);
    Tuple messageTuple = mock(Tuple.class);
    when(messageGetStrategy.get(messageTuple)).thenReturn(message);
    Map<String, Tuple> streamMessageMap = new HashMap<>();
    streamMessageMap.put("message", messageTuple);
    JSONObject joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
    assertFalse(joinedMessage.containsKey("is_alert"));
    when(messageGetStrategy.get(messageTuple)).thenReturn(messageWithTiming);
    joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
    assertFalse(joinedMessage.containsKey("is_alert"));
    when(messageGetStrategy.get(messageTuple)).thenReturn(alertMessage);
    joinedMessage = threatIntelJoinBolt.joinMessages(streamMessageMap, messageGetStrategy);
    assertTrue(joinedMessage.containsKey("is_alert") && "true".equals(joinedMessage.get("is_alert")));
    if (withThreatTriage && !badConfig) {
        assertTrue(joinedMessage.containsKey("threat.triage.score"));
        Double score = (Double) joinedMessage.get("threat.triage.score");
        assertTrue(Math.abs(10d - score) < 1e-10);
    } else {
        assertFalse(joinedMessage.containsKey("threat.triage.score"));
    }
}

Example 2 with ThreatTriageConfig

use of org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig in project metron by apache.

the class ThreatIntelUtils method triage.

public static JSONObject triage(JSONObject ret, SensorEnrichmentConfig config, FunctionResolver functionResolver, Context stellarContext) {
    LOG.trace("Received joined messages: {}", ret);
    boolean isAlert = ret.containsKey("is_alert");
    if (!isAlert) {
        for (Object key : ret.keySet()) {
            if (key.toString().startsWith("threatintels") && !key.toString().endsWith(".ts")) {
                isAlert = true;
                break;
            }
        }
    } else {
        Object isAlertObj = ret.get("is_alert");
        isAlert = ConversionUtils.convert(isAlertObj, Boolean.class);
        if (!isAlert) {
            ret.remove("is_alert");
        }
    }
    if (isAlert) {
        ret.put("is_alert", "true");
        String sourceType = MessageUtils.getSensorType(ret);
        ThreatTriageConfig triageConfig = null;
        if (config != null) {
            triageConfig = config.getThreatIntel().getTriageConfig();
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: Found sensor enrichment config.", sourceType);
            }
        } else {
            LOG.debug("{}: Unable to find threat config.", sourceType);
        }
        if (triageConfig != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: Found threat triage config: {}", sourceType, triageConfig);
            }
            if (LOG.isDebugEnabled() && (triageConfig.getRiskLevelRules() == null || triageConfig.getRiskLevelRules().isEmpty())) {
                LOG.debug("{}: Empty rules!", sourceType);
            }
            // triage the threat
            ThreatTriageProcessor threatTriageProcessor = new ThreatTriageProcessor(config, functionResolver, stellarContext);
            ThreatScore score = threatTriageProcessor.apply(ret);
            if (LOG.isDebugEnabled()) {
                String rules = Joiner.on('\n').join(triageConfig.getRiskLevelRules());
                LOG.debug("Marked {} as triage level {} with rules {}", sourceType, score.getScore(), rules);
            }
            // attach the triage threat score to the message
            if (score.getRuleScores().size() > 0) {
                appendThreatScore(score, ret);
            }
        } else {
            LOG.debug("{}: Unable to find threat triage config!", sourceType);
        }
    }
    return ret;
}