public List<RiskLevelRule> getRiskLevelRules() { return threatTriageConfig.getRiskLevelRules(); }
@Override public String toString() { return String.format("ThreatTriage{%d rule(s)}", threatTriageConfig.getRiskLevelRules().size()); } }
if(LOG.isDebugEnabled() && (triageConfig.getRiskLevelRules() == null || triageConfig.getRiskLevelRules().isEmpty())) { LOG.debug("{}: Empty rules!", sourceType); String rules = Joiner.on('\n').join(triageConfig.getRiskLevelRules()); LOG.debug("Marked {} as triage level {} with rules {}", sourceType, score.getScore(), rules);
tiConfig.setTriageConfig(triageConfig); List<RiskLevelRule> triageRules = triageConfig.getRiskLevelRules(); if(triageRules == null) { triageRules = new ArrayList<>();
List<RiskLevelRule> allRules = ListUtils.union(triageConfig.getRiskLevelRules(), newRules); triageConfig.setRiskLevelRules(allRules);
@Override public Object apply(List<Object> args, Context context) throws ParseException { SensorEnrichmentConfig config = getSensorEnrichmentConfig(args, 0); ThreatIntelConfig tiConfig = (ThreatIntelConfig) getConfig(config, EnrichmentConfigFunctions.Type.THREAT_INTEL); if(tiConfig == null) { return ""; } org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig triageConfig = tiConfig.getTriageConfig(); if(triageConfig == null) { return ""; } // print each rule List<RiskLevelRule> triageRules = ListUtils.emptyIfNull(triageConfig.getRiskLevelRules()); String[] headers = new String[] {"Name", "Comment", "Triage Rule", "Score", "Reason"}; String[][] data = new String[triageRules.size()][5]; int i = 0; for(RiskLevelRule rule : triageRules) { String score = rule.getScoreExpression(); String name = Optional.ofNullable(rule.getName()).orElse(""); String comment = Optional.ofNullable(rule.getComment()).orElse(""); String reason = Optional.ofNullable(rule.getReason()).orElse(""); data[i++] = new String[] {name, comment, rule.getRule(), score, reason}; } String ret = FlipTable.of(headers, data); // print the aggregation if(!triageRules.isEmpty()) { ret += "Aggregation: " + triageConfig.getAggregator().name(); } return ret; }
@Override public Object apply(List<Object> args, Context context) throws ParseException { SensorEnrichmentConfig config = getSensorEnrichmentConfig(args, 0); ThreatIntelConfig tiConfig = (ThreatIntelConfig) getConfig(config, EnrichmentConfigFunctions.Type.THREAT_INTEL); if(tiConfig == null) { tiConfig = new ThreatIntelConfig(); config.setThreatIntel(tiConfig); } org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig triageConfig = tiConfig.getTriageConfig(); if(triageConfig == null) { triageConfig = new org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig(); tiConfig.setTriageConfig(triageConfig); } List<RiskLevelRule> triageRules = triageConfig.getRiskLevelRules(); if(triageRules == null) { triageRules = new ArrayList<>(); triageConfig.setRiskLevelRules(triageRules); } String aggregator = (String) args.get(1); triageConfig.setAggregator(aggregator); if(args.size() > 2) { Map<String, Object> aggConfig = (Map<String, Object>) args.get(2); triageConfig.setAggregationConfig(aggConfig); } return toJSON(config); }
/** * @param message The message being triaged. */ @Nullable @Override public ThreatScore apply(@Nullable Map message) { ThreatScore threatScore = new ThreatScore(); StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor(); StellarProcessor processor = new StellarProcessor(); VariableResolver variableResolver = new MapVariableResolver(message, sensorConfig.getConfiguration(), threatIntelConfig.getConfig()); // attempt to apply each rule to the threat for(RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) { if(predicateProcessor.parse(rule.getRule(), variableResolver, functionResolver, context)) { // add the rule's score to the overall threat score String reason = execute(rule.getReason(), processor, variableResolver, String.class); Double score = execute(rule.getScoreExpression(), processor, variableResolver, Double.class); threatScore.addRuleScore(new RuleScore(rule, reason, score)); } } // calculate the aggregate threat score List<Number> ruleScores = new ArrayList<>(); for(RuleScore ruleScore: threatScore.getRuleScores()) { ruleScores.add(ruleScore.getScore()); } Aggregators aggregators = threatTriageConfig.getAggregator(); Double aggregateScore = aggregators.aggregate(ruleScores, threatTriageConfig.getAggregationConfig()); threatScore.setScore(aggregateScore); return threatScore; }
, 2 ); Assert.assertEquals(1, finalEnrichmentConfig.get("bro").getThreatIntel().getTriageConfig().getRiskLevelRules().size()); Assert.assertTrue( finalEnrichmentConfig.get("bro").toJSON() , ((List<String>)finalEnrichmentConfig.get("bro").getThreatIntel().getFieldMap()
@Test public void shouldAllowNumericRuleScore() throws Exception { // deserialize SensorEnrichmentConfig enrichment = (SensorEnrichmentConfig) ENRICHMENT.deserialize(triageRuleWithNumericScore); ThreatTriageConfig threatTriage = enrichment.getThreatIntel().getTriageConfig(); assertNotNull(threatTriage); List<RiskLevelRule> rules = threatTriage.getRiskLevelRules(); assertEquals(1, rules.size()); RiskLevelRule rule = rules.get(0); assertEquals("Rule Name", rule.getName()); assertEquals("Rule Comment", rule.getComment()); assertEquals("ip_src_addr == '10.0.2.3'", rule.getRule()); assertEquals("'Rule Reason'", rule.getReason()); assertEquals("10", rule.getScoreExpression()); }
@Test public void shouldAllowScoreAsStellarExpression() throws Exception { // deserialize the enrichment configuration SensorEnrichmentConfig enrichment = (SensorEnrichmentConfig) ENRICHMENT.deserialize(triageRuleWithScoreExpression); ThreatTriageConfig threatTriage = enrichment.getThreatIntel().getTriageConfig(); assertNotNull(threatTriage); List<RiskLevelRule> rules = threatTriage.getRiskLevelRules(); assertEquals(1, rules.size()); RiskLevelRule rule = rules.get(0); assertEquals("Rule Name", rule.getName()); assertEquals("Rule Comment", rule.getComment()); assertEquals("'Rule Reason'", rule.getReason()); assertEquals("ip_src_addr == '10.0.2.3'", rule.getRule()); assertEquals("10 + 10", rule.getScoreExpression()); } }