@Override public EnrichmentConfig getUnderlyingConfig(SensorEnrichmentConfig config) { return config.getThreatIntel(); }
public ThreatTriageProcessor( SensorEnrichmentConfig config , FunctionResolver functionResolver , Context context ) { this.threatIntelConfig = config.getThreatIntel(); this.sensorConfig = config; this.threatTriageConfig = config.getThreatIntel().getTriageConfig(); this.functionResolver = functionResolver; this.context = context; }
public static EnrichmentConfig getConfig(SensorEnrichmentConfig sensorConfig, Type type) { EnrichmentConfig enrichmentConfig = null; switch(type) { case ENRICHMENT: enrichmentConfig = sensorConfig.getEnrichment(); break; case THREAT_INTEL: case THREATINTEL: enrichmentConfig = sensorConfig.getThreatIntel(); } return enrichmentConfig; }
@Override protected Map<String, ConfigHandler> getFieldToHandlerMap(String sensorType) { if(sensorType != null) { SensorEnrichmentConfig config = getConfigurations().getSensorEnrichmentConfig(sensorType); if (config != null) { return config.getThreatIntel().getEnrichmentConfigs(); } else { LOG.debug("Unable to retrieve a sensor enrichment config of {}", sensorType); } } else { LOG.error("Trying to retrieve a field map with sensor type of null"); } return new HashMap<>(); }
@Override protected Map<String, Object> getFieldMap(String sensorType) { if (sensorType != null) { SensorEnrichmentConfig config = getConfigurations().getSensorEnrichmentConfig(sensorType); if (config != null) { return config.getThreatIntel().getFieldMap(); } else { LOG.debug("Unable to retrieve sensor config: {}", sensorType); } } else { LOG.error("Trying to retrieve a field map with sensor type of null"); } return new HashMap<>(); }
@Override protected Map<String, ConfigHandler> getFieldToHandlerMap(String sensorType) { if(sensorType != null) { SensorEnrichmentConfig config = getConfigurations().getSensorEnrichmentConfig(sensorType); if (config != null) { return config.getThreatIntel().getEnrichmentConfigs(); } else { LOG.debug("Unable to retrieve a sensor config of {}", sensorType); } } else { LOG.error("Trying to retrieve a field map with sensor type of null"); } return new HashMap<>(); }
@Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; SensorEnrichmentConfig that = (SensorEnrichmentConfig) o; if (getEnrichment() != null ? !getEnrichment().equals(that.getEnrichment()) : that.getEnrichment() != null) return false; if (getThreatIntel() != null ? !getThreatIntel().equals(that.getThreatIntel()) : that.getThreatIntel() != null) return false; return getConfiguration() != null ? getConfiguration().equals(that.getConfiguration()) : that.getConfiguration() == null; }
@Override public Map<String, Object> getFieldMap(String sourceType) { SensorEnrichmentConfig config = getConfigurations().getSensorEnrichmentConfig(sourceType); if(config != null) { return config.getThreatIntel().getFieldMap(); } else { LOG.debug("Unable to retrieve sensor config: {}", sourceType); return null; } }
List<String> fieldList = null; if(kv.getValue().type == Type.THREAT_INTEL) { fieldMap = config.getThreatIntel().getFieldMap(); if(fieldMap!= null) { fieldList = (List<String>)fieldMap.get(Constants.SIMPLE_HBASE_THREAT_INTEL); fieldMap.put(Constants.SIMPLE_HBASE_THREAT_INTEL, fieldList); fieldToTypeMap = config.getThreatIntel().getFieldToTypeMap(); if(fieldToTypeMap == null) { fieldToTypeMap = new HashMap<>(); config.getThreatIntel().setFieldToTypeMap(fieldToTypeMap);
@Override public int hashCode() { int result = getEnrichment() != null ? getEnrichment().hashCode() : 0; result = 31 * result + (getEnrichment() != null ? getEnrichment().hashCode() : 0); result = 31 * result + (getThreatIntel() != null ? getThreatIntel().hashCode() : 0); result = 31 * result + (getConfiguration() != null ? getConfiguration().hashCode() : 0); return result; }
ThreatTriageConfig triageConfig = null; if(config != null) { triageConfig = config.getThreatIntel().getTriageConfig(); if(LOG.isDebugEnabled()) { LOG.debug("{}: Found sensor enrichment config.", sourceType);
.getThreatIntel().getFieldToTypeMap() .get(EnrichmentUtils.toTopLevelField(value.getField())); if(isInitialized() && enrichmentTypes != null) { , new EnrichmentUtils.TypeToKey(value.coerceValue(String.class) , lookup.getTable() , value.getConfig().getThreatIntel()
@Override public void logAccess(CacheKey value) { List<String> enrichmentTypes = value.getConfig().getThreatIntel().getFieldToTypeMap().get(value.getField()); if(enrichmentTypes != null) { for(String enrichmentType : enrichmentTypes) { lookup.getAccessTracker().logAccess(new EnrichmentKey(enrichmentType, value.coerceValue(String.class))); } } }
result.put(SCORE_KEY, score.getScore()); result.put(RULES_KEY, scores); result.put(AGG_KEY, config.getThreatIntel().getTriageConfig().getAggregator().toString()); return result;
Assert.assertNotSame(finalEnrichmentConfig.get("bro"), broSc); Assert.assertEquals( finalEnrichmentConfig.get("bro").toJSON() , ((List<String>)finalEnrichmentConfig.get("bro").getThreatIntel().getFieldMap().get(Constants.SIMPLE_HBASE_THREAT_INTEL)).size() , 2 ); Assert.assertEquals(1, finalEnrichmentConfig.get("bro").getThreatIntel().getTriageConfig().getRiskLevelRules().size()); Assert.assertTrue( finalEnrichmentConfig.get("bro").toJSON() , ((List<String>)finalEnrichmentConfig.get("bro").getThreatIntel().getFieldMap() .get(Constants.SIMPLE_HBASE_THREAT_INTEL)) .contains("ip_src_addr") ); Assert.assertTrue( finalEnrichmentConfig.get("bro").toJSON() , ((List<String>)finalEnrichmentConfig.get("bro").getThreatIntel().getFieldMap() .get(Constants.SIMPLE_HBASE_THREAT_INTEL)) .contains("ip_dst_addr") ); Assert.assertEquals( finalEnrichmentConfig.get("bro").toJSON() , finalEnrichmentConfig.get("bro").getThreatIntel().getFieldToTypeMap().keySet().size() , 2 ); Assert.assertEquals( finalEnrichmentConfig.get("bro").toJSON() , ((List<String>)(finalEnrichmentConfig.get("bro").getThreatIntel().getFieldToTypeMap().get("ip_src_addr"))).size() , 2 ); Assert.assertTrue( finalEnrichmentConfig.get("bro").toJSON() , ((List<String>)(finalEnrichmentConfig.get("bro").getThreatIntel().getFieldToTypeMap().get("ip_src_addr"))).contains("playful") ); Assert.assertTrue( finalEnrichmentConfig.get("bro").toJSON() , ((List<String>)(finalEnrichmentConfig.get("bro").getThreatIntel().getFieldToTypeMap().get("ip_src_addr"))).contains("malicious_ip")
if (withThreatTriage) { try { enrichmentConfig.getThreatIntel().setTriageConfig(JSONUtils.INSTANCE.load(threatTriageConfig, ThreatTriageConfig.class)); if (badConfig) { Assert.fail(threatTriageConfig + "\nThis should not parse!");
@Test public void shouldAllowNumericRuleScore() throws Exception { // deserialize SensorEnrichmentConfig enrichment = (SensorEnrichmentConfig) ENRICHMENT.deserialize(triageRuleWithNumericScore); ThreatTriageConfig threatTriage = enrichment.getThreatIntel().getTriageConfig(); assertNotNull(threatTriage); List<RiskLevelRule> rules = threatTriage.getRiskLevelRules(); assertEquals(1, rules.size()); RiskLevelRule rule = rules.get(0); assertEquals("Rule Name", rule.getName()); assertEquals("Rule Comment", rule.getComment()); assertEquals("ip_src_addr == '10.0.2.3'", rule.getRule()); assertEquals("'Rule Reason'", rule.getReason()); assertEquals("10", rule.getScoreExpression()); }
@Test public void shouldAllowScoreAsStellarExpression() throws Exception { // deserialize the enrichment configuration SensorEnrichmentConfig enrichment = (SensorEnrichmentConfig) ENRICHMENT.deserialize(triageRuleWithScoreExpression); ThreatTriageConfig threatTriage = enrichment.getThreatIntel().getTriageConfig(); assertNotNull(threatTriage); List<RiskLevelRule> rules = threatTriage.getRiskLevelRules(); assertEquals(1, rules.size()); RiskLevelRule rule = rules.get(0); assertEquals("Rule Name", rule.getName()); assertEquals("Rule Comment", rule.getComment()); assertEquals("'Rule Reason'", rule.getReason()); assertEquals("ip_src_addr == '10.0.2.3'", rule.getRule()); assertEquals("10 + 10", rule.getScoreExpression()); } }
add("threatIntelField"); }}); testSensorConfig.getThreatIntel().setFieldMap(threatIntelFieldMap); sampleConfigurations.updateSensorEnrichmentConfig(sensorType, testSensorConfig); ConfigurationsUtils.writeSensorEnrichmentConfigToZookeeper(sensorType, testSensorConfig, zookeeperUrl);