@Override public Map<String, Object> getSensorConfig(String sensorName) { return config.orElse(new EnrichmentConfigurations()).getSensorEnrichmentConfig(sensorName) .getConfiguration(); }
@Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; SensorEnrichmentConfig that = (SensorEnrichmentConfig) o; if (getEnrichment() != null ? !getEnrichment().equals(that.getEnrichment()) : that.getEnrichment() != null) return false; if (getThreatIntel() != null ? !getThreatIntel().equals(that.getThreatIntel()) : that.getThreatIntel() != null) return false; return getConfiguration() != null ? getConfiguration().equals(that.getConfiguration()) : that.getConfiguration() == null; }
@Override public int hashCode() { int result = getEnrichment() != null ? getEnrichment().hashCode() : 0; result = 31 * result + (getEnrichment() != null ? getEnrichment().hashCode() : 0); result = 31 * result + (getThreatIntel() != null ? getThreatIntel().hashCode() : 0); result = 31 * result + (getConfiguration() != null ? getConfiguration().hashCode() : 0); return result; }
@Override public JSONObject enrich(CacheKey value) { Context stellarContext = (Context) value.getConfig().getConfiguration().get(STELLAR_CONTEXT_CONF); ConfigHandler handler = getHandler.apply(value.getConfig()); Map<String, Object> globalConfig = value.getConfig().getConfiguration(); Map<String, Object> sensorConfig = value.getConfig().getEnrichment().getConfig(); if(handler == null) { _LOG.trace("Stellar ConfigHandler is null."); return new JSONObject(); } Long slowLogThreshold = null; if(_PERF_LOG.isDebugEnabled()) { slowLogThreshold = ConversionUtils.convert(globalConfig.getOrDefault(STELLAR_SLOW_LOG, STELLAR_SLOW_LOG_DEFAULT), Long.class); } //Ensure that you clone the message, because process will modify the message. If the message object is modified //then cache misses will happen because the cache will be modified. Map<String, Object> message = new HashMap<>(value.getValue(Map.class)); VariableResolver resolver = new MapVariableResolver(message, sensorConfig, globalConfig); StellarProcessor processor = new StellarProcessor(); JSONObject enriched = process(message , handler , value.getField() , slowLogThreshold , processor , resolver , stellarContext ); _LOG.trace("Stellar Enrichment Success: {}", enriched); return enriched; }
continue; config.getConfiguration().putIfAbsent(STELLAR_CONTEXT_CONF, stellarContext); CacheKey cacheKey= new CacheKey(field, value, config); try {
@Test public void testCacheHit() throws Exception { numAccesses.set(0); JSONObject message = new JSONObject() {{ put(Constants.SENSOR_TYPE, "test"); }}; for(int i = 0;i < 10;++i) { SensorEnrichmentConfig config = JSONUtils.INSTANCE.load(goodConfig, SensorEnrichmentConfig.class); config.getConfiguration().putIfAbsent("stellarContext", stellarContext); ParallelEnricher.EnrichmentResult result = enricher.apply(message, EnrichmentStrategies.ENRICHMENT, config, null); } //we only want 2 actual instances of the adapter.enrich being run due to the cache. Assert.assertTrue(2 >= numAccesses.get()); }
@Test public void testBadConfigWrongEnrichmentType() throws Exception { SensorEnrichmentConfig config = JSONUtils.INSTANCE.load(badConfigWrongEnrichmentType, SensorEnrichmentConfig.class); config.getConfiguration().putIfAbsent("stellarContext", stellarContext); JSONObject message = new JSONObject() {{ put(Constants.SENSOR_TYPE, "test"); }}; try { enricher.apply(message, EnrichmentStrategies.ENRICHMENT, config, null); Assert.fail("This is an invalid config, we should have failed."); } catch(IllegalStateException ise) { Assert.assertEquals(ise.getMessage() , "Unable to find an adapter for hbaseThreatIntel, possible adapters are: " + Joiner.on(",").join(enrichmentsByType.keySet()) ); } } }
config.getConfiguration().putIfAbsent(STELLAR_CONTEXT_CONF, stellarContext); String guid = getGUID(input, message);
/** * @param message The message being triaged. */ @Nullable @Override public ThreatScore apply(@Nullable Map message) { ThreatScore threatScore = new ThreatScore(); StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor(); StellarProcessor processor = new StellarProcessor(); VariableResolver variableResolver = new MapVariableResolver(message, sensorConfig.getConfiguration(), threatIntelConfig.getConfig()); // attempt to apply each rule to the threat for(RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) { if(predicateProcessor.parse(rule.getRule(), variableResolver, functionResolver, context)) { // add the rule's score to the overall threat score String reason = execute(rule.getReason(), processor, variableResolver, String.class); Double score = execute(rule.getScoreExpression(), processor, variableResolver, Double.class); threatScore.addRuleScore(new RuleScore(rule, reason, score)); } } // calculate the aggregate threat score List<Number> ruleScores = new ArrayList<>(); for(RuleScore ruleScore: threatScore.getRuleScores()) { ruleScores.add(ruleScore.getScore()); } Aggregators aggregators = threatTriageConfig.getAggregator(); Double aggregateScore = aggregators.aggregate(ruleScores, threatTriageConfig.getAggregationConfig()); threatScore.setScore(aggregateScore); return threatScore; }
sensorEnrichmentConfig.getConfiguration().put(GenericEnrichmentBolt.STELLAR_CONTEXT_CONF, genericEnrichmentBolt.getStellarContext()); CacheKey cacheKey1 = new CacheKey("field1", "value1", sensorEnrichmentConfig); CacheKey cacheKey2 = new CacheKey("field2", "value2", sensorEnrichmentConfig);
@Test public void testBadConfig() throws Exception { SensorEnrichmentConfig config = JSONUtils.INSTANCE.load(badConfig, SensorEnrichmentConfig.class); config.getConfiguration().putIfAbsent("stellarContext", stellarContext); JSONObject message = new JSONObject() {{ put(Constants.SENSOR_TYPE, "test"); }}; ParallelEnricher.EnrichmentResult result = enricher.apply(message, EnrichmentStrategies.ENRICHMENT, config, null); JSONObject ret = result.getResult(); Assert.assertEquals(ret + " is not what I expected", 11, ret.size()); Assert.assertEquals(1, ret.get("map.blah")); Assert.assertEquals("test", ret.get("source.type")); Assert.assertEquals(1, ret.get("one")); Assert.assertEquals(2, ret.get("foo")); Assert.assertEquals("TEST", ret.get("ALL_CAPS")); Assert.assertEquals(1, result.getEnrichmentErrors().size()); Assert.assertTrue(result.getResult().containsKey("adapter.accessloggingstellaradapter.begin.ts")); Assert.assertTrue(result.getResult().containsKey("adapter.accessloggingstellaradapter.end.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.splitter.begin.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.splitter.end.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.enrich.begin.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.enrich.end.ts")); }
@Test public void testGoodConfig() throws Exception { SensorEnrichmentConfig config = JSONUtils.INSTANCE.load(goodConfig, SensorEnrichmentConfig.class); config.getConfiguration().putIfAbsent("stellarContext", stellarContext); JSONObject message = new JSONObject() {{ put(Constants.SENSOR_TYPE, "test"); }}; ParallelEnricher.EnrichmentResult result = enricher.apply(message, EnrichmentStrategies.ENRICHMENT, config, null); JSONObject ret = result.getResult(); Assert.assertEquals("Got the wrong result count: " + ret, 11, ret.size()); Assert.assertEquals(1, ret.get("map.blah")); Assert.assertEquals("test", ret.get("source.type")); Assert.assertEquals(1, ret.get("one")); Assert.assertEquals(2, ret.get("foo")); Assert.assertEquals("TEST", ret.get("ALL_CAPS")); Assert.assertEquals(0, result.getEnrichmentErrors().size()); Assert.assertTrue(result.getResult().containsKey("adapter.accessloggingstellaradapter.begin.ts")); Assert.assertTrue(result.getResult().containsKey("adapter.accessloggingstellaradapter.end.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.splitter.begin.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.splitter.end.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.enrich.begin.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.enrich.end.ts")); } /**
@Test public void testNullEnrichment() throws Exception { SensorEnrichmentConfig config = JSONUtils.INSTANCE.load(nullConfig, SensorEnrichmentConfig.class); config.getConfiguration().putIfAbsent("stellarContext", stellarContext); JSONObject message = new JSONObject() {{ put(Constants.SENSOR_TYPE, "test"); }}; ParallelEnricher.EnrichmentResult result = enricher.apply(message, EnrichmentStrategies.ENRICHMENT, config, null); JSONObject ret = result.getResult(); Assert.assertEquals("Got the wrong result count: " + ret, 7, ret.size()); Assert.assertTrue(result.getResult().containsKey("adapter.dummyenrichmentadapter.begin.ts")); Assert.assertTrue(result.getResult().containsKey("adapter.dummyenrichmentadapter.end.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.splitter.begin.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.splitter.end.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.enrich.begin.ts")); Assert.assertTrue(result.getResult().containsKey("parallelenricher.enrich.end.ts")); }