@Override public Object apply(List<Object> args, Context context) throws ParseException { SensorEnrichmentConfig config = getSensorEnrichmentConfig(args, 0); ThreatIntelConfig tiConfig = (ThreatIntelConfig) getConfig(config, EnrichmentConfigFunctions.Type.THREAT_INTEL); if(tiConfig == null) { return ""; } org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig triageConfig = tiConfig.getTriageConfig(); if(triageConfig == null) { return ""; } // print each rule List<RiskLevelRule> triageRules = ListUtils.emptyIfNull(triageConfig.getRiskLevelRules()); String[] headers = new String[] {"Name", "Comment", "Triage Rule", "Score", "Reason"}; String[][] data = new String[triageRules.size()][5]; int i = 0; for(RiskLevelRule rule : triageRules) { String score = rule.getScoreExpression(); String name = Optional.ofNullable(rule.getName()).orElse(""); String comment = Optional.ofNullable(rule.getComment()).orElse(""); String reason = Optional.ofNullable(rule.getReason()).orElse(""); data[i++] = new String[] {name, comment, rule.getRule(), score, reason}; } String ret = FlipTable.of(headers, data); // print the aggregation if(!triageRules.isEmpty()) { ret += "Aggregation: " + triageConfig.getAggregator().name(); } return ret; }
result.put(SCORE_KEY, score.getScore()); result.put(RULES_KEY, scores); result.put(AGG_KEY, config.getThreatIntel().getTriageConfig().getAggregator().toString()); return result;
/** * @param message The message being triaged. */ @Nullable @Override public ThreatScore apply(@Nullable Map message) { ThreatScore threatScore = new ThreatScore(); StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor(); StellarProcessor processor = new StellarProcessor(); VariableResolver variableResolver = new MapVariableResolver(message, sensorConfig.getConfiguration(), threatIntelConfig.getConfig()); // attempt to apply each rule to the threat for(RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) { if(predicateProcessor.parse(rule.getRule(), variableResolver, functionResolver, context)) { // add the rule's score to the overall threat score String reason = execute(rule.getReason(), processor, variableResolver, String.class); Double score = execute(rule.getScoreExpression(), processor, variableResolver, Double.class); threatScore.addRuleScore(new RuleScore(rule, reason, score)); } } // calculate the aggregate threat score List<Number> ruleScores = new ArrayList<>(); for(RuleScore ruleScore: threatScore.getRuleScores()) { ruleScores.add(ruleScore.getScore()); } Aggregators aggregators = threatTriageConfig.getAggregator(); Double aggregateScore = aggregators.aggregate(ruleScores, threatTriageConfig.getAggregationConfig()); threatScore.setScore(aggregateScore); return threatScore; }