Laurens -
The problem is that we expect a Stellar expression for the "reason" field.
What you are providing is a string that is not a valid Stellar expression.
For it to be a valid expression you need to add another set of quotes to
make it a Stellar string; " 'No MFA used.' ".
I definitely see how this can be confusing. Here is a REPL session of me
working through the problem. I can see that there is clearly a problem
using the REPL.
(1) Create the rule set that you mentioned in your email.
[Stellar]>>> input := SHELL_EDIT(input)
[Stellar]>>> input
[
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true or
false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
"score": 20,
"reason": "No MFA used."
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": "No MFA used."
}
]
[Stellar]>>> rules := TO_JSON_LIST(input)
(2) Initialize the threat triage engine and add the rules.
[Stellar]>>> t := THREAT_TRIAGE_INIT()
[Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
[!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to:
org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no viable
alternative at input 'NoMFA'
org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA used.:
Unable to parse: No MFA used. due to:
org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no viable
alternative at input 'NoMFA'
at
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:240)
at
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199)
at
org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63)
at
org.apache.metron.management.ThreatTriageFunctions$AddStellarTransformation.apply(ThreatTriageFunctions.java:346)
at
org.apache.metron.stellar.common.StellarCompiler.lambda$exitTransformationFunc$13(StellarCompiler.java:570)
at
org.apache.metron.stellar.common.StellarCompiler$Expression.apply(StellarCompiler.java:169)
at
org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:152)
at
org.apache.metron.stellar.common.shell.StellarExecutor.execute(StellarExecutor.java:292)
at
org.apache.metron.stellar.common.shell.StellarShell.handleStellar(StellarShell.java:277)
at
org.apache.metron.stellar.common.shell.StellarShell.execute(StellarShell.java:509)
at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to parse:
No MFA used. due to: org.apache.metron.stellar.dsl.ParseException: Syntax
error @ 1:3 no viable ...
(3) Clearly there is a problem. I then edited the input to add the quotes
as I suggested.
[Stellar]>>> input := SHELL_EDIT(input)
[Stellar]>>> input
[
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true or
false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
"score": 20,
"reason": "'No MFA used.'"
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": "'No MFA used.'"
}
]
[Stellar]>>> rules := TO_JSON_LIST(input)
(4)
Again, i
nitialize the threat triage engine and add the rules.
[Stellar]>>> t := THREAT_TRIAGE_INIT()
[Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
{
"enrichment" : {
"fieldMap" : { },
"fieldToTypeMap" : { },
"config" : { }
},
"threatIntel" : {
"fieldMap" : { },
"fieldToTypeMap" : { },
"config" : { },
"triageConfig" : {
"riskLevelRules" : [ {
"name" : "Not WORK",
"comment" : "Checks whether the field is_work is true or false.",
"rule" : "is_work == false",
"score" : 20.0,
"reason" : "FORMAT('%s is not a WORK network!', sourceIPAddress)"
}, {
"name" : "MFA",
"comment" : "Checks whether MFA used or not.",
"rule" : "userIdentity:sessionContext:attributes:mfaAuthenticated
== \"False\"",
"score" : 20.0,
"reason" : "'No MFA used.'"
}, {
"name" : "MFA2",
"comment" : "Checks whether MFA used or not.",
"rule" : "additionalEventData:MFAUsed == \"No\"",
"score" : 20.0,
"reason" : "'No MFA used.'"
} ],
"aggregator" : "MAX",
"aggregationConfig" : { }
}
},
"configuration" : { }
}
(5) As you can see the rules are now valid; no more exceptions. From here
you could score some mock telemetry to validate your rule set further.
Hope this helps.
On Thu, Sep 28, 2017 at 12:42 PM, Laurens Vets <laur...@daemon.be> wrote:
> I have the following riskLevelRules:
>
> "riskLevelRules": [
> {
> "name": "Not WORK",
> "comment": "Checks whether the field is_work is true or
> false.",
> "rule": "is_work == false",
> "score": 20,
> "reason": "FORMAT('%s is not a WORK network!',
> sourceIPAddress)"
> },
> {
> "name": "MFA",
> "comment": "Checks whether MFA used or not.",
> "rule":
> "userIdentity:sessionContext:attributes:mfaAuthenticated
> == \"False\"",
> "score": 20,
> "reason": null
> },
> {
> "name": "MFA2",
> "comment": "Checks whether MFA used or not.",
> "rule": "additionalEventData:MFAUsed == \"No\"",
> "score": 20,
> "reason": null
> }
> ],
>
> When I try to change the reason in the 2nd and 3rd from null to "No MFA
> used.", I get the error message: "Modified Sensor parser config but unable
> to save enrichment configuration: JSON.parse: unexpected end of data at
> line 1 column 1 of the JSON data" and the reason is reverted back to null.
> Changing other items in the above works fine.
>
> Any idea what might be going on?
>
