use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatTriageFunctionsTest method testAddMultipleWithEngine.
@Test
public void testAddMultipleWithEngine() {
// init the engine
ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
Map<String, Object> vars = new HashMap<>();
vars.put("engine", engine);
// add a new rule
run("THREAT_TRIAGE_ADD(engine, { 'name':'rule1', 'rule':'value < 2', 'score':10 } )", vars);
// add another rule
run("THREAT_TRIAGE_ADD(engine, { 'name':'rule2', 'rule':'value < 4', 'score':10 } )", vars);
List<RiskLevelRule> triageRules = engine.getRiskLevelRules();
Assert.assertEquals(2, triageRules.size());
}
use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatTriageFunctionsTest method testPrintWithEngine.
@Test
public void testPrintWithEngine() {
// init the engine
ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
Map<String, Object> vars = new HashMap<>();
vars.put("engine", engine);
// add 2 rules
run("THREAT_TRIAGE_ADD(engine, [ " + "{ 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10, 'reason' : '2 + 2' }, " + "{ 'rule' : SHELL_GET_EXPRESSION('greater'), 'score' : 20 } ] )", vars);
// print
String out = (String) run("THREAT_TRIAGE_PRINT(engine)", vars);
Assert.assertEquals(testPrintExpected, out);
}
use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatTriageFunctionsTest method testAddEmptyWithEngine.
@Test
public void testAddEmptyWithEngine() {
// init the engine
ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
Map<String, Object> vars = new HashMap<>();
vars.put("engine", engine);
String newConfig = (String) run("THREAT_TRIAGE_ADD(engine, {'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 } )", vars);
// validate the returned configuration
List<RiskLevelRule> triageRules = getTriageRules(newConfig);
Assert.assertEquals(1, triageRules.size());
// validate that the engine was updated
Assert.assertEquals(1, engine.getSensorConfig().getThreatIntel().getTriageConfig().getRiskLevelRules().size());
}
use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatIntelUtils method triage.
public static JSONObject triage(JSONObject ret, SensorEnrichmentConfig config, FunctionResolver functionResolver, Context stellarContext) {
LOG.trace("Received joined messages: {}", ret);
boolean isAlert = ret.containsKey("is_alert");
if (!isAlert) {
for (Object key : ret.keySet()) {
if (key.toString().startsWith("threatintels") && !key.toString().endsWith(".ts")) {
isAlert = true;
break;
}
}
} else {
Object isAlertObj = ret.get("is_alert");
isAlert = ConversionUtils.convert(isAlertObj, Boolean.class);
if (!isAlert) {
ret.remove("is_alert");
}
}
if (isAlert) {
ret.put("is_alert", "true");
String sourceType = MessageUtils.getSensorType(ret);
ThreatTriageConfig triageConfig = null;
if (config != null) {
triageConfig = config.getThreatIntel().getTriageConfig();
if (LOG.isDebugEnabled()) {
LOG.debug("{}: Found sensor enrichment config.", sourceType);
}
} else {
LOG.debug("{}: Unable to find threat config.", sourceType);
}
if (triageConfig != null) {
if (LOG.isDebugEnabled()) {
LOG.debug("{}: Found threat triage config: {}", sourceType, triageConfig);
}
if (LOG.isDebugEnabled() && (triageConfig.getRiskLevelRules() == null || triageConfig.getRiskLevelRules().isEmpty())) {
LOG.debug("{}: Empty rules!", sourceType);
}
// triage the threat
ThreatTriageProcessor threatTriageProcessor = new ThreatTriageProcessor(config, functionResolver, stellarContext);
ThreatScore score = threatTriageProcessor.apply(ret);
if (LOG.isDebugEnabled()) {
String rules = Joiner.on('\n').join(triageConfig.getRiskLevelRules());
LOG.debug("Marked {} as triage level {} with rules {}", sourceType, score.getScore(), rules);
}
// attach the triage threat score to the message
if (score.getRuleScores().size() > 0) {
appendThreatScore(score, ret);
}
} else {
LOG.debug("{}: Unable to find threat triage config!", sourceType);
}
}
return ret;
}
use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatTriageFunctions method getSensorEnrichmentConfig.
/**
* Retrieves the sensor enrichment configuration from the function arguments. The manner
* of retrieving the configuration can differ based on what the user passes in.
* @param args The function arguments.
* @param position The position from which the configuration will be extracted.
* @return The sensor enrichment configuration.
*/
private static SensorEnrichmentConfig getSensorEnrichmentConfig(List<Object> args, int position) {
Object arg0 = Util.getArg(position, Object.class, args);
SensorEnrichmentConfig config = new SensorEnrichmentConfig();
if (arg0 instanceof String) {
// deserialize the configuration from json
String json = Util.getArg(0, String.class, args);
if (json != null) {
config = (SensorEnrichmentConfig) ENRICHMENT.deserialize(json);
}
} else if (arg0 instanceof ThreatTriageProcessor) {
// extract the configuration from the engine
ThreatTriageProcessor engine = Util.getArg(0, ThreatTriageProcessor.class, args);
config = engine.getSensorConfig();
} else {
// unexpected type
throw new IllegalArgumentException(String.format("Unexpected type: got '%s'", ClassUtils.getShortClassName(arg0, "null")));
}
return config;
}
Aggregations