Search in sources :

Example 1 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class TransformFilterExtractorDecorator method initialize.

@Override
public void initialize(Map<String, Object> config) {
    super.initialize(config);
    if (VALUE_TRANSFORM.existsIn(config)) {
        this.valueTransforms = getTransforms(config, VALUE_TRANSFORM.toString());
    }
    if (INDICATOR_TRANSFORM.existsIn(config)) {
        this.indicatorTransforms = getTransforms(config, INDICATOR_TRANSFORM.toString());
    }
    if (VALUE_FILTER.existsIn(config)) {
        this.valueFilter = getFilter(config, VALUE_FILTER.toString());
    }
    if (INDICATOR_FILTER.existsIn(config)) {
        this.indicatorFilter = getFilter(config, INDICATOR_FILTER.toString());
    }
    if (STATE_UPDATE.existsIn(config)) {
        capabilities.add(ExtractorCapabilities.STATEFUL);
        this.stateUpdate = getTransforms(config, STATE_UPDATE.toString());
    }
    if (STATE_INIT.existsIn(config)) {
        capabilities.add(ExtractorCapabilities.STATEFUL);
    }
    if (STATE_MERGE.existsIn(config)) {
        capabilities.add(ExtractorCapabilities.MERGEABLE);
        this.stateMerge = getFilter(config, STATE_MERGE.toString());
    }
    String zkClientUrl = "";
    if (ZK_QUORUM.existsIn(config)) {
        zkClientUrl = ConversionUtils.convert(config.get(ZK_QUORUM.toString()), String.class);
    }
    zkClient = setupClient(zkClient, zkClientUrl);
    this.globalConfig = getGlobalConfig(zkClient);
    this.stellarContext = createContext(zkClient);
    StellarFunctions.initialize(stellarContext);
    this.transformProcessor = new StellarProcessor();
    this.filterProcessor = new StellarPredicateProcessor();
}
Also used : StellarProcessor(org.apache.metron.stellar.common.StellarProcessor) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor)

Example 2 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class ThreatTriageConfig method setRiskLevelRules.

public void setRiskLevelRules(List<RiskLevelRule> riskLevelRules) {
    List<RiskLevelRule> rules = new ArrayList<>();
    Set<String> ruleIndex = new HashSet<>();
    StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
    StellarProcessor processor = new StellarProcessor();
    for (RiskLevelRule rule : riskLevelRules) {
        if (rule.getRule() == null || rule.getScore() == null) {
            throw new IllegalStateException("Risk level rules must contain both a rule and a score.");
        }
        if (ruleIndex.contains(rule.getRule())) {
            continue;
        } else {
            ruleIndex.add(rule.getRule());
        }
        // validate the fields which are expected to be valid Stellar expressions
        predicateProcessor.validate(rule.getRule());
        if (rule.getReason() != null) {
            processor.validate(rule.getReason());
        }
        rules.add(rule);
    }
    this.riskLevelRules = rules;
}
Also used : StellarProcessor(org.apache.metron.stellar.common.StellarProcessor) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor)

Example 3 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class RemoveTransformation method map.

@Override
public Map<String, Object> map(Map<String, Object> input, final List<String> outputFields, LinkedHashMap<String, Object> fieldMappingConfig, Context context, Map<String, Object>... sensorConfig) {
    String condition = getCondition(fieldMappingConfig);
    StellarPredicateProcessor processor = getPredicateProcessor(condition);
    if (processor.parse(condition, new MapVariableResolver(input), StellarFunctions.FUNCTION_RESOLVER(), context)) {
        return new HashMap<String, Object>() {

            {
                for (String outputField : outputFields) {
                    put(outputField, null);
                }
            }
        };
    }
    return null;
}
Also used : LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor)

Example 4 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class ThreatTriageProcessor method apply.

@Nullable
@Override
public ThreatScore apply(@Nullable Map input) {
    ThreatScore threatScore = new ThreatScore();
    StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
    StellarProcessor processor = new StellarProcessor();
    VariableResolver resolver = new MapVariableResolver(input, sensorConfig.getConfiguration(), threatIntelConfig.getConfig());
    // attempt to apply each rule to the threat
    for (RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) {
        if (predicateProcessor.parse(rule.getRule(), resolver, functionResolver, context)) {
            // add the rule's score to the overall threat score
            String reason = execute(rule.getReason(), processor, resolver, String.class);
            RuleScore score = new RuleScore(rule, reason);
            threatScore.addRuleScore(score);
        }
    }
    // calculate the aggregate threat score
    Aggregators aggregators = threatTriageConfig.getAggregator();
    List<Number> allScores = threatScore.getRuleScores().stream().map(score -> score.getRule().getScore()).collect(Collectors.toList());
    Double aggregateScore = aggregators.aggregate(allScores, threatTriageConfig.getAggregationConfig());
    threatScore.setScore(aggregateScore);
    return threatScore;
}
Also used : StellarProcessor(org.apache.metron.stellar.common.StellarProcessor) ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore) FunctionResolver(org.apache.metron.stellar.dsl.functions.resolver.FunctionResolver) VariableResolver(org.apache.metron.stellar.dsl.VariableResolver) Function(com.google.common.base.Function) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) StellarProcessor(org.apache.metron.stellar.common.StellarProcessor) Collectors(java.util.stream.Collectors) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig) List(java.util.List) ThreatIntelConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig) RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore) Map(java.util.Map) Aggregators(org.apache.metron.common.aggregator.Aggregators) ThreatTriageConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig) ConversionUtils(org.apache.metron.stellar.common.utils.ConversionUtils) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor) Nullable(javax.annotation.Nullable) Context(org.apache.metron.stellar.dsl.Context) ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Aggregators(org.apache.metron.common.aggregator.Aggregators) RuleScore(org.apache.metron.common.configuration.enrichment.threatintel.RuleScore) VariableResolver(org.apache.metron.stellar.dsl.VariableResolver) MapVariableResolver(org.apache.metron.stellar.dsl.MapVariableResolver) StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor) Nullable(javax.annotation.Nullable)

Example 5 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class StellarProcessorUtils method runPredicate.

public static boolean runPredicate(String rule, VariableResolver resolver, Context context) {
    StellarPredicateProcessor processor = new StellarPredicateProcessor();
    Assert.assertTrue(rule + " not valid.", processor.validate(rule));
    return processor.parse(rule, resolver, StellarFunctions.FUNCTION_RESOLVER(), context);
}
Also used : StellarPredicateProcessor(org.apache.metron.stellar.common.StellarPredicateProcessor)

Aggregations

StellarPredicateProcessor (org.apache.metron.stellar.common.StellarPredicateProcessor)5 StellarProcessor (org.apache.metron.stellar.common.StellarProcessor)3 Function (com.google.common.base.Function)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 LinkedHashMap (java.util.LinkedHashMap)1 List (java.util.List)1 Map (java.util.Map)1 Collectors (java.util.stream.Collectors)1 Nullable (javax.annotation.Nullable)1 Aggregators (org.apache.metron.common.aggregator.Aggregators)1 SensorEnrichmentConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)1 RiskLevelRule (org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)1 RuleScore (org.apache.metron.common.configuration.enrichment.threatintel.RuleScore)1 ThreatIntelConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig)1 ThreatScore (org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)1 ThreatTriageConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig)1 ConversionUtils (org.apache.metron.stellar.common.utils.ConversionUtils)1 Context (org.apache.metron.stellar.dsl.Context)1