Examples with StellarPredicateProcessor org.apache.metron.stellar.common.StellarPredicateProcessor used on opensource projects

Example 1 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class TransformFilterExtractorDecorator method initialize.

@Override
public void initialize(Map<String, Object> config) {
    super.initialize(config);
    if (VALUE_TRANSFORM.existsIn(config)) {
        this.valueTransforms = getTransforms(config, VALUE_TRANSFORM.toString());
    }
    if (INDICATOR_TRANSFORM.existsIn(config)) {
        this.indicatorTransforms = getTransforms(config, INDICATOR_TRANSFORM.toString());
    }
    if (VALUE_FILTER.existsIn(config)) {
        this.valueFilter = getFilter(config, VALUE_FILTER.toString());
    }
    if (INDICATOR_FILTER.existsIn(config)) {
        this.indicatorFilter = getFilter(config, INDICATOR_FILTER.toString());
    }
    if (STATE_UPDATE.existsIn(config)) {
        capabilities.add(ExtractorCapabilities.STATEFUL);
        this.stateUpdate = getTransforms(config, STATE_UPDATE.toString());
    }
    if (STATE_INIT.existsIn(config)) {
        capabilities.add(ExtractorCapabilities.STATEFUL);
    }
    if (STATE_MERGE.existsIn(config)) {
        capabilities.add(ExtractorCapabilities.MERGEABLE);
        this.stateMerge = getFilter(config, STATE_MERGE.toString());
    }
    String zkClientUrl = "";
    if (ZK_QUORUM.existsIn(config)) {
        zkClientUrl = ConversionUtils.convert(config.get(ZK_QUORUM.toString()), String.class);
    }
    zkClient = setupClient(zkClient, zkClientUrl);
    this.globalConfig = getGlobalConfig(zkClient);
    this.stellarContext = createContext(zkClient);
    StellarFunctions.initialize(stellarContext);
    this.transformProcessor = new StellarProcessor();
    this.filterProcessor = new StellarPredicateProcessor();
}

Example 2 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class ThreatTriageConfig method setRiskLevelRules.

public void setRiskLevelRules(List<RiskLevelRule> riskLevelRules) {
    List<RiskLevelRule> rules = new ArrayList<>();
    Set<String> ruleIndex = new HashSet<>();
    StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
    StellarProcessor processor = new StellarProcessor();
    for (RiskLevelRule rule : riskLevelRules) {
        if (rule.getRule() == null || rule.getScore() == null) {
            throw new IllegalStateException("Risk level rules must contain both a rule and a score.");
        }
        if (ruleIndex.contains(rule.getRule())) {
            continue;
        } else {
            ruleIndex.add(rule.getRule());
        }
        // validate the fields which are expected to be valid Stellar expressions
        predicateProcessor.validate(rule.getRule());
        if (rule.getReason() != null) {
            processor.validate(rule.getReason());
        }
        rules.add(rule);
    }
    this.riskLevelRules = rules;
}

Example 3 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class RemoveTransformation method map.

@Override
public Map<String, Object> map(Map<String, Object> input, final List<String> outputFields, LinkedHashMap<String, Object> fieldMappingConfig, Context context, Map<String, Object>... sensorConfig) {
    String condition = getCondition(fieldMappingConfig);
    StellarPredicateProcessor processor = getPredicateProcessor(condition);
    if (processor.parse(condition, new MapVariableResolver(input), StellarFunctions.FUNCTION_RESOLVER(), context)) {
        return new HashMap<String, Object>() {

            {
                for (String outputField : outputFields) {
                    put(outputField, null);
                }
            }
        };
    }
    return null;
}

Example 4 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class ThreatTriageProcessor method apply.

@Nullable
@Override
public ThreatScore apply(@Nullable Map input) {
    ThreatScore threatScore = new ThreatScore();
    StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
    StellarProcessor processor = new StellarProcessor();
    VariableResolver resolver = new MapVariableResolver(input, sensorConfig.getConfiguration(), threatIntelConfig.getConfig());
    // attempt to apply each rule to the threat
    for (RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) {
        if (predicateProcessor.parse(rule.getRule(), resolver, functionResolver, context)) {
            // add the rule's score to the overall threat score
            String reason = execute(rule.getReason(), processor, resolver, String.class);
            RuleScore score = new RuleScore(rule, reason);
            threatScore.addRuleScore(score);
        }
    }
    // calculate the aggregate threat score
    Aggregators aggregators = threatTriageConfig.getAggregator();
    List<Number> allScores = threatScore.getRuleScores().stream().map(score -> score.getRule().getScore()).collect(Collectors.toList());
    Double aggregateScore = aggregators.aggregate(allScores, threatTriageConfig.getAggregationConfig());
    threatScore.setScore(aggregateScore);
    return threatScore;
}

Example 5 with StellarPredicateProcessor

use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.

the class StellarProcessorUtils method runPredicate.

public static boolean runPredicate(String rule, VariableResolver resolver, Context context) {
    StellarPredicateProcessor processor = new StellarPredicateProcessor();
    Assert.assertTrue(rule + " not valid.", processor.validate(rule));
    return processor.parse(rule, resolver, StellarFunctions.FUNCTION_RESOLVER(), context);
}