use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.
the class TransformFilterExtractorDecorator method initialize.
@Override
public void initialize(Map<String, Object> config) {
super.initialize(config);
if (VALUE_TRANSFORM.existsIn(config)) {
this.valueTransforms = getTransforms(config, VALUE_TRANSFORM.toString());
}
if (INDICATOR_TRANSFORM.existsIn(config)) {
this.indicatorTransforms = getTransforms(config, INDICATOR_TRANSFORM.toString());
}
if (VALUE_FILTER.existsIn(config)) {
this.valueFilter = getFilter(config, VALUE_FILTER.toString());
}
if (INDICATOR_FILTER.existsIn(config)) {
this.indicatorFilter = getFilter(config, INDICATOR_FILTER.toString());
}
if (STATE_UPDATE.existsIn(config)) {
capabilities.add(ExtractorCapabilities.STATEFUL);
this.stateUpdate = getTransforms(config, STATE_UPDATE.toString());
}
if (STATE_INIT.existsIn(config)) {
capabilities.add(ExtractorCapabilities.STATEFUL);
}
if (STATE_MERGE.existsIn(config)) {
capabilities.add(ExtractorCapabilities.MERGEABLE);
this.stateMerge = getFilter(config, STATE_MERGE.toString());
}
String zkClientUrl = "";
if (ZK_QUORUM.existsIn(config)) {
zkClientUrl = ConversionUtils.convert(config.get(ZK_QUORUM.toString()), String.class);
}
zkClient = setupClient(zkClient, zkClientUrl);
this.globalConfig = getGlobalConfig(zkClient);
this.stellarContext = createContext(zkClient);
StellarFunctions.initialize(stellarContext);
this.transformProcessor = new StellarProcessor();
this.filterProcessor = new StellarPredicateProcessor();
}
use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.
the class ThreatTriageConfig method setRiskLevelRules.
public void setRiskLevelRules(List<RiskLevelRule> riskLevelRules) {
List<RiskLevelRule> rules = new ArrayList<>();
Set<String> ruleIndex = new HashSet<>();
StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
StellarProcessor processor = new StellarProcessor();
for (RiskLevelRule rule : riskLevelRules) {
if (rule.getRule() == null || rule.getScore() == null) {
throw new IllegalStateException("Risk level rules must contain both a rule and a score.");
}
if (ruleIndex.contains(rule.getRule())) {
continue;
} else {
ruleIndex.add(rule.getRule());
}
// validate the fields which are expected to be valid Stellar expressions
predicateProcessor.validate(rule.getRule());
if (rule.getReason() != null) {
processor.validate(rule.getReason());
}
rules.add(rule);
}
this.riskLevelRules = rules;
}
use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.
the class RemoveTransformation method map.
@Override
public Map<String, Object> map(Map<String, Object> input, final List<String> outputFields, LinkedHashMap<String, Object> fieldMappingConfig, Context context, Map<String, Object>... sensorConfig) {
String condition = getCondition(fieldMappingConfig);
StellarPredicateProcessor processor = getPredicateProcessor(condition);
if (processor.parse(condition, new MapVariableResolver(input), StellarFunctions.FUNCTION_RESOLVER(), context)) {
return new HashMap<String, Object>() {
{
for (String outputField : outputFields) {
put(outputField, null);
}
}
};
}
return null;
}
use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.
the class ThreatTriageProcessor method apply.
@Nullable
@Override
public ThreatScore apply(@Nullable Map input) {
ThreatScore threatScore = new ThreatScore();
StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
StellarProcessor processor = new StellarProcessor();
VariableResolver resolver = new MapVariableResolver(input, sensorConfig.getConfiguration(), threatIntelConfig.getConfig());
// attempt to apply each rule to the threat
for (RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) {
if (predicateProcessor.parse(rule.getRule(), resolver, functionResolver, context)) {
// add the rule's score to the overall threat score
String reason = execute(rule.getReason(), processor, resolver, String.class);
RuleScore score = new RuleScore(rule, reason);
threatScore.addRuleScore(score);
}
}
// calculate the aggregate threat score
Aggregators aggregators = threatTriageConfig.getAggregator();
List<Number> allScores = threatScore.getRuleScores().stream().map(score -> score.getRule().getScore()).collect(Collectors.toList());
Double aggregateScore = aggregators.aggregate(allScores, threatTriageConfig.getAggregationConfig());
threatScore.setScore(aggregateScore);
return threatScore;
}
use of org.apache.metron.stellar.common.StellarPredicateProcessor in project metron by apache.
the class StellarProcessorUtils method runPredicate.
public static boolean runPredicate(String rule, VariableResolver resolver, Context context) {
StellarPredicateProcessor processor = new StellarPredicateProcessor();
Assert.assertTrue(rule + " not valid.", processor.validate(rule));
return processor.parse(rule, resolver, StellarFunctions.FUNCTION_RESOLVER(), context);
}
Aggregations