use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatTriageFunctionsTest method testTriageInitWithArg.
@Test
public void testTriageInitWithArg() {
// add a triage rule
String confWithRule = (String) run("THREAT_TRIAGE_ADD(conf, [{ 'rule': 'value > 0', 'score' : 10 } ])", toMap("conf", configStr));
// initialize the engine
Object result = run("THREAT_TRIAGE_INIT(confWithRule)", toMap("confWithRule", confWithRule));
Assert.assertNotNull(result);
Assert.assertTrue(result instanceof ThreatTriageProcessor);
// validate that there is 1 triage rule
ThreatTriageProcessor engine = (ThreatTriageProcessor) result;
Assert.assertEquals(1, engine.getRiskLevelRules().size());
}
use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatTriageFunctionsTest method testSetAggregationWithEngine.
@Test
public void testSetAggregationWithEngine() {
// init the engine
ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
Map<String, Object> vars = new HashMap<>();
vars.put("engine", engine);
// set the aggregator
String newConfig = (String) run("THREAT_TRIAGE_SET_AGGREGATOR(engine, 'MIN')", vars);
// validate the return configuration
SensorEnrichmentConfig sensorConfig = (SensorEnrichmentConfig) ENRICHMENT.deserialize(newConfig);
Assert.assertEquals("MIN", sensorConfig.getThreatIntel().getTriageConfig().getAggregator().toString());
// validate that the engine was updated
Assert.assertEquals("MIN", engine.getSensorConfig().getThreatIntel().getTriageConfig().getAggregator().toString());
}
use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatTriageFunctionsTest method testTriageInitNoArg.
@Test
public void testTriageInitNoArg() {
Object result = run("THREAT_TRIAGE_INIT()");
Assert.assertNotNull(result);
Assert.assertTrue(result instanceof ThreatTriageProcessor);
// there should be no triage rules defined
ThreatTriageProcessor engine = (ThreatTriageProcessor) result;
Assert.assertEquals(0, engine.getRiskLevelRules().size());
}
use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.
the class ThreatTriageFunctionsTest method testRemoveWithEngine.
@Test
public void testRemoveWithEngine() {
// init the engine
ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
// set the aggregator
Map<String, Object> vars = new HashMap<>();
vars.put("engine", engine);
// add 2 rules
String newConfig = (String) run("THREAT_TRIAGE_ADD(engine, [" + "{ 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 }, " + "{ 'rule' : SHELL_GET_EXPRESSION('greater'), 'score' : 20 } ] )", vars);
// remove 1 rule
newConfig = (String) run("THREAT_TRIAGE_REMOVE(engine, [ " + "SHELL_GET_EXPRESSION('greater')] )", vars);
List<RiskLevelRule> triageRules = engine.getRiskLevelRules();
Assert.assertEquals(1, triageRules.size());
RiskLevelRule rule = triageRules.get(0);
Assert.assertEquals(variables.get("less").getExpression().get(), rule.getRule());
Assert.assertEquals(10.0, rule.getScore().doubleValue(), 1e-6);
}
Aggregations