/** * Builds the updates to be run based on a given metaalert and a set of new alerts for the it. * @param metaAlert The base metaalert we're building updates for * @param alerts The alerts being added * @return The set of resulting updates. */ protected Map<Document, Optional<String>> buildAddAlertToMetaAlertUpdates(Document metaAlert, Iterable<Document> alerts) { Map<Document, Optional<String>> updates = new HashMap<>(); boolean metaAlertUpdated = addAlertsToMetaAlert(metaAlert, alerts); if (metaAlertUpdated) { MetaScores .calculateMetaScores(metaAlert, config.getThreatTriageField(), config.getThreatSort()); updates.put(metaAlert, Optional.of(config.getMetaAlertIndex())); for (Document alert : alerts) { if (addMetaAlertToAlert(metaAlert.getGuid(), alert)) { updates.put(alert, Optional.empty()); } } } return updates; }
public static void calculateMetaScores(Document metaAlert, String threatTriageField, String threatSort) { MetaScores metaScores = new MetaScores(new ArrayList<>()); List<Object> alertsRaw = ((List<Object>) metaAlert.getDocument() .get(MetaAlertConstants.ALERT_FIELD)); for (Object alertRaw : alertsRaw) { Map<String, Object> alert = (Map<String, Object>) alertRaw; Double scoreNum = parseThreatField(alert.get(threatTriageField)); if (scoreNum != null) { scores.add(scoreNum); metaScores = new MetaScores(scores); metaAlert.getDocument().putAll(metaScores.getMetaScores()); Object threatScore = metaScores.getMetaScores().get(threatSort);
expectedMetaAlertMap.put(THREAT_FIELD_DEFAULT, 0.0f); expectedMetaAlertMap.putAll(new MetaScores(scores).getMetaScores()); Document expectedMetaAlertDoc = new Document(expectedMetaAlertMap, METAALERT_GUID, METAALERT_TYPE,
expectedMetaAlertMap.put(ALERT_FIELD, expectedAlerts); expectedMetaAlertMap.put(THREAT_FIELD_DEFAULT, 0.0f); expectedMetaAlertMap.putAll(new MetaScores(Collections.singletonList(0.0d)).getMetaScores()); Document expectedMetaAlertDoc = new Document(expectedMetaAlertMap, METAALERT_GUID, METAALERT_TYPE,
.calculateMetaScores(metaAlert, config.getThreatTriageField(), config.getThreatSort()); updates.put(metaAlert, Optional.of(config.getMetaAlertIndex())); for (Document alert : alerts) {
MetaScores.calculateMetaScores(metaAlert, getConfig().getThreatTriageField(), getConfig().getThreatSort());
@Test public void testCalculateMetaScoresWithDifferentFieldName() { List<Map<String, Object>> alertList = new ArrayList<>(); // add an alert with a threat score alertList.add( Collections.singletonMap(MetaAlertConstants.THREAT_FIELD_DEFAULT, 10.0f)); // create the metaalert Map<String, Object> docMap = new HashMap<>(); docMap.put(MetaAlertConstants.ALERT_FIELD, alertList); Document metaalert = new Document(docMap, "guid", MetaAlertConstants.METAALERT_TYPE, 0L); // Configure a different threat triage score field name AccessConfig accessConfig = new AccessConfig(); accessConfig.setGlobalConfigSupplier(() -> new HashMap<String, Object>() {{ put(Constants.THREAT_SCORE_FIELD_PROPERTY, MetaAlertConstants.THREAT_FIELD_DEFAULT); }}); MetaScores.calculateMetaScores(metaalert, MetaAlertConstants.THREAT_FIELD_DEFAULT, MetaAlertConstants.THREAT_SORT_DEFAULT); assertNotNull(metaalert.getDocument().get(MetaAlertConstants.THREAT_FIELD_DEFAULT)); } }
MetaAlertConstants.ALERT_FIELD); MetaScores .calculateMetaScores(metaAlert, getConfig().getThreatTriageField(), getConfig().getThreatSort());
@Test public void testCalculateMetaScoresList() { final double delta = 0.001; List<Map<String, Object>> alertList = new ArrayList<>(); // add an alert with a threat score alertList.add(Collections.singletonMap(THREAT_FIELD_DEFAULT, 10.0f)); // add a second alert with a threat score alertList.add(Collections.singletonMap(THREAT_FIELD_DEFAULT, 20.0f)); // add a third alert with NO threat score alertList.add(Collections.singletonMap("alert3", "has no threat score")); // create the metaalert Map<String, Object> docMap = new HashMap<>(); docMap.put(ALERT_FIELD, alertList); Document metaalert = new Document(docMap, "guid", METAALERT_TYPE, 0L); // calculate the threat score for the metaalert MetaScores.calculateMetaScores(metaalert, THREAT_FIELD_DEFAULT, THREAT_SORT_DEFAULT); // the metaalert must contain a summary of all child threat scores assertEquals(20D, (Double) metaalert.getDocument().get("max"), delta); assertEquals(10D, (Double) metaalert.getDocument().get("min"), delta); assertEquals(15D, (Double) metaalert.getDocument().get("average"), delta); assertEquals(2L, metaalert.getDocument().get("count")); assertEquals(30D, (Double) metaalert.getDocument().get("sum"), delta); assertEquals(15D, (Double) metaalert.getDocument().get("median"), delta); // it must contain an overall threat score; a float to match the type of the threat score of // the other sensor indices Object threatScore = metaalert.getDocument().get(THREAT_FIELD_DEFAULT); assertTrue(threatScore instanceof Float); // by default, the overall threat score is the sum of all child threat scores assertEquals(30.0F, threatScore); }