@Override public LookupValue toValue(Map<String, Object> metadata) { return new EnrichmentValue(metadata); } })
@Override public LookupKV<EnrichmentKey, EnrichmentValue> fromResult(Result result, String columnFamily) throws IOException { return fromResult(result, columnFamily, new EnrichmentKey(), new EnrichmentValue()); } }
@Override public LookupKV<EnrichmentKey, EnrichmentValue> fromPut(Put put, String columnFamily) throws IOException { return fromPut(put, columnFamily, new EnrichmentKey(), new EnrichmentValue()); }
private EnrichmentValue getValue( JSONObject message , Set<String> keyColumns , Set<String> valueColumns ) { Map<String, Object> metadata = new HashMap<>(); if(valueColumns == null || valueColumns.isEmpty()) { for (Object kv : message.entrySet()) { Map.Entry<Object, Object> entry = (Map.Entry<Object, Object>) kv; if (!keyColumns.contains(entry.getKey())) { addMetadataEntry(metadata, entry); } } return new EnrichmentValue(metadata); } else { for (Object kv : message.entrySet()) { Map.Entry<Object, Object> entry = (Map.Entry<Object, Object>) kv; if (valueColumns.contains(entry.getKey())) { addMetadataEntry(metadata, entry); } } return new EnrichmentValue(metadata); } }
final String indicatorType = typeStr + ":" + category; LookupKV results = new LookupKV(new EnrichmentKey(indicatorType, token) , new EnrichmentValue( new HashMap<String, Object>() {{ put("source-type", "STIX");
@Override public Iterable<LookupKV> extract(final Hostname type, Map<String, Object> config) throws IOException { StringObjectPropertyType value = type.getHostnameValue(); String typeStr = getType(); if(config != null) { Object o = config.get(TYPE_CONFIG); if(o != null) { typeStr = o.toString(); } } List<LookupKV> ret = new ArrayList<>(); for(String token : StixExtractor.split(value)) { final String indicatorType = typeStr; LookupKV results = new LookupKV(new EnrichmentKey(indicatorType, token) , new EnrichmentValue(new HashMap<String, Object>() {{ put("source-type", "STIX"); put("indicator-type", indicatorType); put("source", type.toXMLString()); }} ) ); ret.add(results); } return ret; } @Override
@Override public Iterable<LookupKV> extract(URIObjectType type, Map<String, Object> config) throws IOException { List<LookupKV> ret = new ArrayList<>(); if(type != null) { AnyURIObjectPropertyType val = type.getValue(); if(val != null) { Object v = val.getValue(); if(v != null) { final String indicatorType = getType(); LookupKV results = new LookupKV(new EnrichmentKey(indicatorType, v.toString()) , new EnrichmentValue( new HashMap<String, Object>() {{ put("source-type", "STIX"); put("uri", v.toString()); put("indicator-type", indicatorType); put("source", type.toXMLString()); }} ) ); ret.add(results); } } } return ret; }
@Override public Iterable<LookupKV> extract(final DomainName type, Map<String, Object> config) throws IOException { List<LookupKV> ret = new ArrayList<>(); String typeStr = getType(); if(config != null) { Object o = config.get(TYPE_CONFIG); if(o != null) { typeStr = o.toString(); } } final DomainNameTypeEnum domainType = type.getType(); if(domainType == null || SUPPORTED_TYPES.contains(domainType)) { StringObjectPropertyType value = type.getValue(); for (String token : StixExtractor.split(value)) { final String indicatorType = typeStr + ":" + DomainNameTypeEnum.FQDN; LookupKV results = new LookupKV(new EnrichmentKey(indicatorType, token) , new EnrichmentValue( new HashMap<String, Object>() {{ put("source-type", "STIX"); put("indicator-type", indicatorType); put("source", type.toXMLString()); }} ) ); ret.add(results); } } return ret; } @Override
@Before public void setup() throws Exception { final MockHTable trackerTable = (MockHTable) MockHBaseTableProvider.addToCache(atTableName, cf); final MockHTable threatIntelTable = (MockHTable) MockHBaseTableProvider.addToCache(threatIntelTableName, cf); EnrichmentHelper.INSTANCE.load(threatIntelTable, cf, new ArrayList<LookupKV<EnrichmentKey, EnrichmentValue>>() {{ add(new LookupKV<>(new EnrichmentKey("10.0.2.3", "10.0.2.3"), new EnrichmentValue(new HashMap<>()))); }}); BloomAccessTracker bat = new BloomAccessTracker(threatIntelTableName, 100, 0.03); PersistentAccessTracker pat = new PersistentAccessTracker(threatIntelTableName, "0", trackerTable, cf, bat, 0L); lookup = new EnrichmentLookup(threatIntelTable, cf, pat); JSONParser jsonParser = new JSONParser(); expectedMessage = (JSONObject) jsonParser.parse(expectedMessageString); }
@Before public void setup() throws Exception { final MockHTable hbaseTable = (MockHTable) MockHBaseTableProvider.addToCache(hbaseTableName, cf); EnrichmentHelper.INSTANCE.load(hbaseTable, cf, new ArrayList<LookupKV<EnrichmentKey, EnrichmentValue>>() {{ for(int i = 0;i < 5;++i) { add(new LookupKV<>(new EnrichmentKey(ENRICHMENT_TYPE, "indicator" + i) , new EnrichmentValue(ImmutableMap.of("key" + i, "value" + i)) ) ); } }}); context = new Context.Builder() .with( Context.Capabilities.GLOBAL_CONFIG , () -> ImmutableMap.of( SimpleHBaseEnrichmentFunctions.TABLE_PROVIDER_TYPE_CONF , MockHBaseTableProvider.class.getName() ) ) .build(); } public Object run(String rule, Map<String, Object> variables) throws Exception {
@Before public void setup() throws Exception { final MockHTable trackerTable = (MockHTable) MockHBaseTableProvider.addToCache(atTableName, cf); final MockHTable hbaseTable = (MockHTable) MockHBaseTableProvider.addToCache(hbaseTableName, cf); EnrichmentHelper.INSTANCE.load(hbaseTable, cf, new ArrayList<LookupKV<EnrichmentKey, EnrichmentValue>>() {{ add(new LookupKV<>(new EnrichmentKey(PLAYFUL_CLASSIFICATION_TYPE, "10.0.2.3") , new EnrichmentValue(PLAYFUL_ENRICHMENT) ) ); }}); EnrichmentHelper.INSTANCE.load(hbaseTable, cf1, new ArrayList<LookupKV<EnrichmentKey, EnrichmentValue>>() {{ add(new LookupKV<>(new EnrichmentKey(CF1_CLASSIFICATION_TYPE, "10.0.2.4") , new EnrichmentValue(CF1_ENRICHMENT) ) ); }}); BloomAccessTracker bat = new BloomAccessTracker(hbaseTableName, 100, 0.03); PersistentAccessTracker pat = new PersistentAccessTracker(hbaseTableName, "0", trackerTable, cf, bat, 0L); lookup = new EnrichmentLookup(hbaseTable, cf, pat); JSONParser jsonParser = new JSONParser(); expectedMessage = (JSONObject) jsonParser.parse(expectedMessageString); }
final MockHTable threatIntelTable = (MockHTable) MockHBaseTableProvider.addToCache(threatIntelTableName, cf); EnrichmentHelper.INSTANCE.load(threatIntelTable, cf, new ArrayList<LookupKV<EnrichmentKey, EnrichmentValue>>() {{ add(new LookupKV<>(new EnrichmentKey(MALICIOUS_IP_TYPE, "10.0.2.3"), new EnrichmentValue(new HashMap<>()))); }}); final MockHTable enrichmentTable = (MockHTable) MockHBaseTableProvider.addToCache(enrichmentsTableName, cf); EnrichmentHelper.INSTANCE.load(enrichmentTable, cf, new ArrayList<LookupKV<EnrichmentKey, EnrichmentValue>>() {{ add(new LookupKV<>(new EnrichmentKey(PLAYFUL_CLASSIFICATION_TYPE, "10.0.2.3") , new EnrichmentValue(PLAYFUL_ENRICHMENT)
@Test public void testValueConversion() throws IOException { EnrichmentConverter converter = new EnrichmentConverter(); EnrichmentKey k1 = new EnrichmentKey("type", "indicator"); EnrichmentValue v1 = new EnrichmentValue(new HashMap<String, Object>() {{ put("k1", "v1"); put("k2", "v2"); }}); Put serialized = converter.toPut("cf", k1, v1); LookupKV<EnrichmentKey, EnrichmentValue> kv = converter.fromPut(serialized,"cf"); Assert.assertEquals(k1, kv.getKey()); Assert.assertEquals(v1, kv.getValue()); } }