@Override public Object apply(List<Object> args, Context context) throws ParseException { SensorEnrichmentConfig config = getSensorEnrichmentConfig(args, 0); ThreatIntelConfig tiConfig = (ThreatIntelConfig) getConfig(config, EnrichmentConfigFunctions.Type.THREAT_INTEL); if(tiConfig == null) { tiConfig = new ThreatIntelConfig(); config.setThreatIntel(tiConfig); } org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig triageConfig = tiConfig.getTriageConfig(); if(triageConfig == null) { triageConfig = new org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig(); tiConfig.setTriageConfig(triageConfig); } List<RiskLevelRule> triageRules = triageConfig.getRiskLevelRules(); if(triageRules == null) { triageRules = new ArrayList<>(); triageConfig.setRiskLevelRules(triageRules); } String aggregator = (String) args.get(1); triageConfig.setAggregator(aggregator); if(args.size() > 2) { Map<String, Object> aggConfig = (Map<String, Object>) args.get(2); triageConfig.setAggregationConfig(aggConfig); } return toJSON(config); }
public List<RiskLevelRule> getRiskLevelRules() { return threatTriageConfig.getRiskLevelRules(); }
triageConfig = new org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig(); tiConfig.setTriageConfig(triageConfig); List<RiskLevelRule> triageRules = triageConfig.getRiskLevelRules(); if(triageRules == null) { triageRules = new ArrayList<>(); triageConfig.setRiskLevelRules(triageRules);
/** * @param message The message being triaged. */ @Nullable @Override public ThreatScore apply(@Nullable Map message) { ThreatScore threatScore = new ThreatScore(); StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor(); StellarProcessor processor = new StellarProcessor(); VariableResolver variableResolver = new MapVariableResolver(message, sensorConfig.getConfiguration(), threatIntelConfig.getConfig()); // attempt to apply each rule to the threat for(RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) { if(predicateProcessor.parse(rule.getRule(), variableResolver, functionResolver, context)) { // add the rule's score to the overall threat score String reason = execute(rule.getReason(), processor, variableResolver, String.class); Double score = execute(rule.getScoreExpression(), processor, variableResolver, Double.class); threatScore.addRuleScore(new RuleScore(rule, reason, score)); } } // calculate the aggregate threat score List<Number> ruleScores = new ArrayList<>(); for(RuleScore ruleScore: threatScore.getRuleScores()) { ruleScores.add(ruleScore.getScore()); } Aggregators aggregators = threatTriageConfig.getAggregator(); Double aggregateScore = aggregators.aggregate(ruleScores, threatTriageConfig.getAggregationConfig()); threatScore.setScore(aggregateScore); return threatScore; }
@Override public Object apply(List<Object> args, Context context) throws ParseException { SensorEnrichmentConfig config = getSensorEnrichmentConfig(args, 0); ThreatIntelConfig tiConfig = (ThreatIntelConfig) getConfig(config, EnrichmentConfigFunctions.Type.THREAT_INTEL); if(tiConfig == null) { return ""; } org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig triageConfig = tiConfig.getTriageConfig(); if(triageConfig == null) { return ""; } // print each rule List<RiskLevelRule> triageRules = ListUtils.emptyIfNull(triageConfig.getRiskLevelRules()); String[] headers = new String[] {"Name", "Comment", "Triage Rule", "Score", "Reason"}; String[][] data = new String[triageRules.size()][5]; int i = 0; for(RiskLevelRule rule : triageRules) { String score = rule.getScoreExpression(); String name = Optional.ofNullable(rule.getName()).orElse(""); String comment = Optional.ofNullable(rule.getComment()).orElse(""); String reason = Optional.ofNullable(rule.getReason()).orElse(""); data[i++] = new String[] {name, comment, rule.getRule(), score, reason}; } String ret = FlipTable.of(headers, data); // print the aggregation if(!triageRules.isEmpty()) { ret += "Aggregation: " + triageConfig.getAggregator().name(); } return ret; }
result.put(SCORE_KEY, score.getScore()); result.put(RULES_KEY, scores); result.put(AGG_KEY, config.getThreatIntel().getTriageConfig().getAggregator().toString()); return result;
@Override public int hashCode() { int result = super.hashCode(); result = 31 * result + (getTriageConfig() != null ? getTriageConfig().hashCode() : 0); return result; }
@Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; if (!super.equals(o)) return false; ThreatIntelConfig that = (ThreatIntelConfig) o; return getTriageConfig() != null ? getTriageConfig().equals(that.getTriageConfig()) : that.getTriageConfig() == null; }
@Override public String toString() { return String.format("ThreatTriage{%d rule(s)}", threatTriageConfig.getRiskLevelRules().size()); } }
triageConfig = new org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig(); tiConfig.setTriageConfig(triageConfig); List<RiskLevelRule> allRules = ListUtils.union(triageConfig.getRiskLevelRules(), newRules); triageConfig.setRiskLevelRules(allRules);
if(LOG.isDebugEnabled() && (triageConfig.getRiskLevelRules() == null || triageConfig.getRiskLevelRules().isEmpty())) { LOG.debug("{}: Empty rules!", sourceType); String rules = Joiner.on('\n').join(triageConfig.getRiskLevelRules()); LOG.debug("Marked {} as triage level {} with rules {}", sourceType, score.getScore(), rules);
, 2 ); Assert.assertEquals(1, finalEnrichmentConfig.get("bro").getThreatIntel().getTriageConfig().getRiskLevelRules().size()); Assert.assertTrue( finalEnrichmentConfig.get("bro").toJSON() , ((List<String>)finalEnrichmentConfig.get("bro").getThreatIntel().getFieldMap()
@Test public void shouldAllowNumericRuleScore() throws Exception { // deserialize SensorEnrichmentConfig enrichment = (SensorEnrichmentConfig) ENRICHMENT.deserialize(triageRuleWithNumericScore); ThreatTriageConfig threatTriage = enrichment.getThreatIntel().getTriageConfig(); assertNotNull(threatTriage); List<RiskLevelRule> rules = threatTriage.getRiskLevelRules(); assertEquals(1, rules.size()); RiskLevelRule rule = rules.get(0); assertEquals("Rule Name", rule.getName()); assertEquals("Rule Comment", rule.getComment()); assertEquals("ip_src_addr == '10.0.2.3'", rule.getRule()); assertEquals("'Rule Reason'", rule.getReason()); assertEquals("10", rule.getScoreExpression()); }
@Test public void shouldAllowScoreAsStellarExpression() throws Exception { // deserialize the enrichment configuration SensorEnrichmentConfig enrichment = (SensorEnrichmentConfig) ENRICHMENT.deserialize(triageRuleWithScoreExpression); ThreatTriageConfig threatTriage = enrichment.getThreatIntel().getTriageConfig(); assertNotNull(threatTriage); List<RiskLevelRule> rules = threatTriage.getRiskLevelRules(); assertEquals(1, rules.size()); RiskLevelRule rule = rules.get(0); assertEquals("Rule Name", rule.getName()); assertEquals("Rule Comment", rule.getComment()); assertEquals("'Rule Reason'", rule.getReason()); assertEquals("ip_src_addr == '10.0.2.3'", rule.getRule()); assertEquals("10 + 10", rule.getScoreExpression()); } }