Search in sources :

Example 1 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatTriageFunctionsTest method testAddMultipleWithEngine.

@Test
public void testAddMultipleWithEngine() {
    // init the engine
    ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
    Map<String, Object> vars = new HashMap<>();
    vars.put("engine", engine);
    // add a new rule
    run("THREAT_TRIAGE_ADD(engine, { 'name':'rule1', 'rule':'value < 2', 'score':10 } )", vars);
    // add another rule
    run("THREAT_TRIAGE_ADD(engine, { 'name':'rule2', 'rule':'value < 4', 'score':10 } )", vars);
    List<RiskLevelRule> triageRules = engine.getRiskLevelRules();
    Assert.assertEquals(2, triageRules.size());
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) HashMap(java.util.HashMap) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Test(org.junit.Test)

Example 2 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatTriageFunctionsTest method testPrintWithEngine.

@Test
public void testPrintWithEngine() {
    // init the engine
    ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
    Map<String, Object> vars = new HashMap<>();
    vars.put("engine", engine);
    // add 2 rules
    run("THREAT_TRIAGE_ADD(engine, [ " + "{ 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10, 'reason' : '2 + 2' }, " + "{ 'rule' : SHELL_GET_EXPRESSION('greater'), 'score' : 20 } ] )", vars);
    // print
    String out = (String) run("THREAT_TRIAGE_PRINT(engine)", vars);
    Assert.assertEquals(testPrintExpected, out);
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) HashMap(java.util.HashMap) Test(org.junit.Test)

Example 3 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatTriageFunctionsTest method testAddEmptyWithEngine.

@Test
public void testAddEmptyWithEngine() {
    // init the engine
    ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
    Map<String, Object> vars = new HashMap<>();
    vars.put("engine", engine);
    String newConfig = (String) run("THREAT_TRIAGE_ADD(engine, {'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 } )", vars);
    // validate the returned configuration
    List<RiskLevelRule> triageRules = getTriageRules(newConfig);
    Assert.assertEquals(1, triageRules.size());
    // validate that the engine was updated
    Assert.assertEquals(1, engine.getSensorConfig().getThreatIntel().getTriageConfig().getRiskLevelRules().size());
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) HashMap(java.util.HashMap) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Test(org.junit.Test)

Example 4 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatIntelUtils method triage.

public static JSONObject triage(JSONObject ret, SensorEnrichmentConfig config, FunctionResolver functionResolver, Context stellarContext) {
    LOG.trace("Received joined messages: {}", ret);
    boolean isAlert = ret.containsKey("is_alert");
    if (!isAlert) {
        for (Object key : ret.keySet()) {
            if (key.toString().startsWith("threatintels") && !key.toString().endsWith(".ts")) {
                isAlert = true;
                break;
            }
        }
    } else {
        Object isAlertObj = ret.get("is_alert");
        isAlert = ConversionUtils.convert(isAlertObj, Boolean.class);
        if (!isAlert) {
            ret.remove("is_alert");
        }
    }
    if (isAlert) {
        ret.put("is_alert", "true");
        String sourceType = MessageUtils.getSensorType(ret);
        ThreatTriageConfig triageConfig = null;
        if (config != null) {
            triageConfig = config.getThreatIntel().getTriageConfig();
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: Found sensor enrichment config.", sourceType);
            }
        } else {
            LOG.debug("{}: Unable to find threat config.", sourceType);
        }
        if (triageConfig != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("{}: Found threat triage config: {}", sourceType, triageConfig);
            }
            if (LOG.isDebugEnabled() && (triageConfig.getRiskLevelRules() == null || triageConfig.getRiskLevelRules().isEmpty())) {
                LOG.debug("{}: Empty rules!", sourceType);
            }
            // triage the threat
            ThreatTriageProcessor threatTriageProcessor = new ThreatTriageProcessor(config, functionResolver, stellarContext);
            ThreatScore score = threatTriageProcessor.apply(ret);
            if (LOG.isDebugEnabled()) {
                String rules = Joiner.on('\n').join(triageConfig.getRiskLevelRules());
                LOG.debug("Marked {} as triage level {} with rules {}", sourceType, score.getScore(), rules);
            }
            // attach the triage threat score to the message
            if (score.getRuleScores().size() > 0) {
                appendThreatScore(score, ret);
            }
        } else {
            LOG.debug("{}: Unable to find threat triage config!", sourceType);
        }
    }
    return ret;
}
Also used : ThreatTriageConfig(org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig) ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) ThreatScore(org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore) JSONObject(org.json.simple.JSONObject)

Example 5 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatTriageFunctions method getSensorEnrichmentConfig.

/**
 * Retrieves the sensor enrichment configuration from the function arguments.  The manner
 * of retrieving the configuration can differ based on what the user passes in.
 * @param args The function arguments.
 * @param position The position from which the configuration will be extracted.
 * @return The sensor enrichment configuration.
 */
private static SensorEnrichmentConfig getSensorEnrichmentConfig(List<Object> args, int position) {
    Object arg0 = Util.getArg(position, Object.class, args);
    SensorEnrichmentConfig config = new SensorEnrichmentConfig();
    if (arg0 instanceof String) {
        // deserialize the configuration from json
        String json = Util.getArg(0, String.class, args);
        if (json != null) {
            config = (SensorEnrichmentConfig) ENRICHMENT.deserialize(json);
        }
    } else if (arg0 instanceof ThreatTriageProcessor) {
        // extract the configuration from the engine
        ThreatTriageProcessor engine = Util.getArg(0, ThreatTriageProcessor.class, args);
        config = engine.getSensorConfig();
    } else {
        // unexpected type
        throw new IllegalArgumentException(String.format("Unexpected type: got '%s'", ClassUtils.getShortClassName(arg0, "null")));
    }
    return config;
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) JSONObject(org.json.simple.JSONObject) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)

Aggregations

ThreatTriageProcessor (org.apache.metron.threatintel.triage.ThreatTriageProcessor)9 Test (org.junit.Test)7 HashMap (java.util.HashMap)5 RiskLevelRule (org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)3 SensorEnrichmentConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)2 JSONObject (org.json.simple.JSONObject)2 ThreatScore (org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)1 ThreatTriageConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig)1