Search in sources :

Example 6 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatTriageFunctionsTest method testTriageInitWithArg.

@Test
public void testTriageInitWithArg() {
    // add a triage rule
    String confWithRule = (String) run("THREAT_TRIAGE_ADD(conf, [{ 'rule': 'value > 0', 'score' : 10 } ])", toMap("conf", configStr));
    // initialize the engine
    Object result = run("THREAT_TRIAGE_INIT(confWithRule)", toMap("confWithRule", confWithRule));
    Assert.assertNotNull(result);
    Assert.assertTrue(result instanceof ThreatTriageProcessor);
    // validate that there is 1 triage rule
    ThreatTriageProcessor engine = (ThreatTriageProcessor) result;
    Assert.assertEquals(1, engine.getRiskLevelRules().size());
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) Test(org.junit.Test)

Example 7 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatTriageFunctionsTest method testSetAggregationWithEngine.

@Test
public void testSetAggregationWithEngine() {
    // init the engine
    ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
    Map<String, Object> vars = new HashMap<>();
    vars.put("engine", engine);
    // set the aggregator
    String newConfig = (String) run("THREAT_TRIAGE_SET_AGGREGATOR(engine, 'MIN')", vars);
    // validate the return configuration
    SensorEnrichmentConfig sensorConfig = (SensorEnrichmentConfig) ENRICHMENT.deserialize(newConfig);
    Assert.assertEquals("MIN", sensorConfig.getThreatIntel().getTriageConfig().getAggregator().toString());
    // validate that the engine was updated
    Assert.assertEquals("MIN", engine.getSensorConfig().getThreatIntel().getTriageConfig().getAggregator().toString());
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) HashMap(java.util.HashMap) SensorEnrichmentConfig(org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig) Test(org.junit.Test)

Example 8 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatTriageFunctionsTest method testTriageInitNoArg.

@Test
public void testTriageInitNoArg() {
    Object result = run("THREAT_TRIAGE_INIT()");
    Assert.assertNotNull(result);
    Assert.assertTrue(result instanceof ThreatTriageProcessor);
    // there should be no triage rules defined
    ThreatTriageProcessor engine = (ThreatTriageProcessor) result;
    Assert.assertEquals(0, engine.getRiskLevelRules().size());
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) Test(org.junit.Test)

Example 9 with ThreatTriageProcessor

use of org.apache.metron.threatintel.triage.ThreatTriageProcessor in project metron by apache.

the class ThreatTriageFunctionsTest method testRemoveWithEngine.

@Test
public void testRemoveWithEngine() {
    // init the engine
    ThreatTriageProcessor engine = (ThreatTriageProcessor) run("THREAT_TRIAGE_INIT()");
    // set the aggregator
    Map<String, Object> vars = new HashMap<>();
    vars.put("engine", engine);
    // add 2 rules
    String newConfig = (String) run("THREAT_TRIAGE_ADD(engine, [" + "{ 'rule' : SHELL_GET_EXPRESSION('less'), 'score' : 10 }, " + "{ 'rule' : SHELL_GET_EXPRESSION('greater'), 'score' : 20 } ] )", vars);
    // remove 1 rule
    newConfig = (String) run("THREAT_TRIAGE_REMOVE(engine, [ " + "SHELL_GET_EXPRESSION('greater')] )", vars);
    List<RiskLevelRule> triageRules = engine.getRiskLevelRules();
    Assert.assertEquals(1, triageRules.size());
    RiskLevelRule rule = triageRules.get(0);
    Assert.assertEquals(variables.get("less").getExpression().get(), rule.getRule());
    Assert.assertEquals(10.0, rule.getScore().doubleValue(), 1e-6);
}
Also used : ThreatTriageProcessor(org.apache.metron.threatintel.triage.ThreatTriageProcessor) HashMap(java.util.HashMap) RiskLevelRule(org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule) Test(org.junit.Test)

Aggregations

ThreatTriageProcessor (org.apache.metron.threatintel.triage.ThreatTriageProcessor)9 Test (org.junit.Test)7 HashMap (java.util.HashMap)5 RiskLevelRule (org.apache.metron.common.configuration.enrichment.threatintel.RiskLevelRule)3 SensorEnrichmentConfig (org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig)2 JSONObject (org.json.simple.JSONObject)2 ThreatScore (org.apache.metron.common.configuration.enrichment.threatintel.ThreatScore)1 ThreatTriageConfig (org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig)1