Laurens -
The problem is that we expect a Stellar expression for the "reason"
field.
What you are providing is a string that is not a valid Stellar
expression.
For it to be a valid expression you need to add another set of quotes
to
make it a Stellar string; " 'No MFA used.' ".
I definitely see how this can be confusing. Here is a REPL session of
me
working through the problem. I can see that there is clearly a problem
using the REPL.
(1) Create the rule set that you mentioned in your email.
[Stellar]>>> input := SHELL_EDIT(input)
[Stellar]>>> input
[
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true or
false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
"score": 20,
"reason": "No MFA used."
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": "No MFA used."
}
]
[Stellar]>>> rules := TO_JSON_LIST(input)
(2) Initialize the threat triage engine and add the rules.
[Stellar]>>> t := THREAT_TRIAGE_INIT()
[Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
[!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to:
org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
viable
alternative at input 'NoMFA'
org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA
used.:
Unable to parse: No MFA used. due to:
org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
viable
alternative at input 'NoMFA'
at
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:240)
at
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199)
at
org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63)
at
org.apache.metron.management.ThreatTriageFunctions$AddStellarTransformation.apply(ThreatTriageFunctions.java:346)
at
org.apache.metron.stellar.common.StellarCompiler.lambda$exitTransformationFunc$13(StellarCompiler.java:570)
at
org.apache.metron.stellar.common.StellarCompiler$Expression.apply(StellarCompiler.java:169)
at
org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:152)
at
org.apache.metron.stellar.common.shell.StellarExecutor.execute(StellarExecutor.java:292)
at
org.apache.metron.stellar.common.shell.StellarShell.handleStellar(StellarShell.java:277)
at
org.apache.metron.stellar.common.shell.StellarShell.execute(StellarShell.java:509)
at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to
parse:
No MFA used. due to: org.apache.metron.stellar.dsl.ParseException:
Syntax
error @ 1:3 no viable ...
(3) Clearly there is a problem. I then edited the input to add the
quotes
as I suggested.
[Stellar]>>> input := SHELL_EDIT(input)
[Stellar]>>> input
[
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true or
false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
"score": 20,
"reason": "'No MFA used.'"
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": "'No MFA used.'"
}
]
[Stellar]>>> rules := TO_JSON_LIST(input)
(4)
Again, i
nitialize the threat triage engine and add the rules.
[Stellar]>>> t := THREAT_TRIAGE_INIT()
[Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
{
"enrichment" : {
"fieldMap" : { },
"fieldToTypeMap" : { },
"config" : { }
},
"threatIntel" : {
"fieldMap" : { },
"fieldToTypeMap" : { },
"config" : { },
"triageConfig" : {
"riskLevelRules" : [ {
"name" : "Not WORK",
"comment" : "Checks whether the field is_work is true or
false.",
"rule" : "is_work == false",
"score" : 20.0,
"reason" : "FORMAT('%s is not a WORK network!',
sourceIPAddress)"
}, {
"name" : "MFA",
"comment" : "Checks whether MFA used or not.",
"rule" :
"userIdentity:sessionContext:attributes:mfaAuthenticated
== \"False\"",
"score" : 20.0,
"reason" : "'No MFA used.'"
}, {
"name" : "MFA2",
"comment" : "Checks whether MFA used or not.",
"rule" : "additionalEventData:MFAUsed == \"No\"",
"score" : 20.0,
"reason" : "'No MFA used.'"
} ],
"aggregator" : "MAX",
"aggregationConfig" : { }
}
},
"configuration" : { }
}
(5) As you can see the rules are now valid; no more exceptions. From
here
you could score some mock telemetry to validate your rule set further.
Hope this helps.
On Thu, Sep 28, 2017 at 12:42 PM, Laurens Vets <[email protected]>
wrote:
I have the following riskLevelRules:
"riskLevelRules": [
{
"name": "Not WORK",
"comment": "Checks whether the field is_work is true
or
false.",
"rule": "is_work == false",
"score": 20,
"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"
},
{
"name": "MFA",
"comment": "Checks whether MFA used or not.",
"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated
== \"False\"",
"score": 20,
"reason": null
},
{
"name": "MFA2",
"comment": "Checks whether MFA used or not.",
"rule": "additionalEventData:MFAUsed == \"No\"",
"score": 20,
"reason": null
}
],
When I try to change the reason in the 2nd and 3rd from null to "No
MFA
used.", I get the error message: "Modified Sensor parser config but
unable
to save enrichment configuration: JSON.parse: unexpected end of data
at
line 1 column 1 of the JSON data" and the reason is reverted back to
null.
Changing other items in the above works fine.
Any idea what might be going on?
