Sure, I understand. I just did that so others have an example to work with
for future reference.
On Tue, Oct 3, 2017 at 11:49 AM, Laurens Vets <laur...@daemon.be> wrote:
> Thanks Nick! I'm still on 0.4.1-release, so I haven't had a chance to play
> with your additional THREAT_TRIAGE_* things.
>
>
> On 2017-10-03 08:40, Nick Allen wrote:
>
>> Laurens -
>>
>> The problem is that we expect a Stellar expression for the "reason" field.
>> What you are providing is a string that is not a valid Stellar expression.
>> For it to be a valid expression you need to add another set of quotes to
>> make it a Stellar string; " 'No MFA used.' ".
>>
>> I definitely see how this can be confusing. Here is a REPL session of me
>> working through the problem. I can see that there is clearly a problem
>> using the REPL.
>>
>> (1) Create the rule set that you mentioned in your email.
>>
>> [Stellar]>>> input := SHELL_EDIT(input)
>>
>> [Stellar]>>> input
>>
>> [
>>
>> {
>>
>> "name": "Not WORK",
>>
>> "comment": "Checks whether the field is_work is true or
>> false.",
>>
>> "rule": "is_work == false",
>>
>> "score": 20,
>>
>> "reason": "FORMAT('%s is not a WORK network!',
>> sourceIPAddress)"
>>
>> },
>>
>> {
>>
>> "name": "MFA",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule":
>> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
>>
>> "score": 20,
>>
>> "reason": "No MFA used."
>>
>> },
>>
>> {
>>
>> "name": "MFA2",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule": "additionalEventData:MFAUsed == \"No\"",
>>
>> "score": 20,
>>
>> "reason": "No MFA used."
>>
>> }
>>
>> ]
>>
>> [Stellar]>>> rules := TO_JSON_LIST(input)
>>
>>
>> (2) Initialize the threat triage engine and add the rules.
>>
>>
>> [Stellar]>>> t := THREAT_TRIAGE_INIT()
>>
>> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
>>
>> [!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to:
>> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
>> viable
>> alternative at input 'NoMFA'
>>
>> org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA
>> used.:
>> Unable to parse: No MFA used. due to:
>> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
>> viable
>> alternative at input 'NoMFA'
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.valida
>> te(BaseStellarProcessor.java:240)
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.valida
>> te(BaseStellarProcessor.java:199)
>>
>> at
>> org.apache.metron.common.configuration.enrichment.threatinte
>> l.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63)
>>
>> at
>> org.apache.metron.management.ThreatTriageFunctions$AddStella
>> rTransformation.apply(ThreatTriageFunctions.java:346)
>>
>> at
>> org.apache.metron.stellar.common.StellarCompiler.lambda$exit
>> TransformationFunc$13(StellarCompiler.java:570)
>>
>> at
>> org.apache.metron.stellar.common.StellarCompiler$Expression.
>> apply(StellarCompiler.java:169)
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.parse(
>> BaseStellarProcessor.java:152)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarExecutor.execu
>> te(StellarExecutor.java:292)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarShell.handleSt
>> ellar(StellarShell.java:277)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarShell.execute(
>> StellarShell.java:509)
>>
>> at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to parse:
>> No MFA used. due to: org.apache.metron.stellar.dsl.ParseException: Syntax
>> error @ 1:3 no viable ...
>>
>>
>> (3) Clearly there is a problem. I then edited the input to add the quotes
>> as I suggested.
>>
>>
>> [Stellar]>>> input := SHELL_EDIT(input)
>>
>> [Stellar]>>> input
>>
>> [
>>
>> {
>>
>> "name": "Not WORK",
>>
>> "comment": "Checks whether the field is_work is true or
>> false.",
>>
>> "rule": "is_work == false",
>>
>> "score": 20,
>>
>> "reason": "FORMAT('%s is not a WORK network!',
>> sourceIPAddress)"
>>
>> },
>>
>> {
>>
>> "name": "MFA",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule":
>> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
>>
>> "score": 20,
>>
>> "reason": "'No MFA used.'"
>>
>> },
>>
>> {
>>
>> "name": "MFA2",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule": "additionalEventData:MFAUsed == \"No\"",
>>
>> "score": 20,
>>
>> "reason": "'No MFA used.'"
>>
>> }
>>
>> ]
>>
>> [Stellar]>>> rules := TO_JSON_LIST(input)
>>
>>
>>
>> (4)
>> Again, i
>> nitialize the threat triage engine and add the rules.
>>
>>
>> [Stellar]>>> t := THREAT_TRIAGE_INIT()
>>
>> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
>>
>> {
>>
>> "enrichment" : {
>>
>> "fieldMap" : { },
>>
>> "fieldToTypeMap" : { },
>>
>> "config" : { }
>>
>> },
>>
>> "threatIntel" : {
>>
>> "fieldMap" : { },
>>
>> "fieldToTypeMap" : { },
>>
>> "config" : { },
>>
>> "triageConfig" : {
>>
>> "riskLevelRules" : [ {
>>
>> "name" : "Not WORK",
>>
>> "comment" : "Checks whether the field is_work is true or false.",
>>
>> "rule" : "is_work == false",
>>
>> "score" : 20.0,
>>
>> "reason" : "FORMAT('%s is not a WORK network!', sourceIPAddress)"
>>
>> }, {
>>
>> "name" : "MFA",
>>
>> "comment" : "Checks whether MFA used or not.",
>>
>> "rule" : "userIdentity:sessionContext:attributes:mfaAuthenticated
>> == \"False\"",
>>
>> "score" : 20.0,
>>
>> "reason" : "'No MFA used.'"
>>
>> }, {
>>
>> "name" : "MFA2",
>>
>> "comment" : "Checks whether MFA used or not.",
>>
>> "rule" : "additionalEventData:MFAUsed == \"No\"",
>>
>> "score" : 20.0,
>>
>> "reason" : "'No MFA used.'"
>>
>> } ],
>>
>> "aggregator" : "MAX",
>>
>> "aggregationConfig" : { }
>>
>> }
>>
>> },
>>
>> "configuration" : { }
>>
>> }
>>
>>
>> (5) As you can see the rules are now valid; no more exceptions. From here
>> you could score some mock telemetry to validate your rule set further.
>>
>>
>> Hope this helps.
>>
>> On Thu, Sep 28, 2017 at 12:42 PM, Laurens Vets <laur...@daemon.be> wrote:
>>
>> I have the following riskLevelRules:
>>>
>>> "riskLevelRules": [
>>> {
>>> "name": "Not WORK",
>>> "comment": "Checks whether the field is_work is true or
>>> false.",
>>> "rule": "is_work == false",
>>> "score": 20,
>>> "reason": "FORMAT('%s is not a WORK network!',
>>> sourceIPAddress)"
>>> },
>>> {
>>> "name": "MFA",
>>> "comment": "Checks whether MFA used or not.",
>>> "rule": "userIdentity:sessionContext:a
>>> ttributes:mfaAuthenticated
>>> == \"False\"",
>>> "score": 20,
>>> "reason": null
>>> },
>>> {
>>> "name": "MFA2",
>>> "comment": "Checks whether MFA used or not.",
>>> "rule": "additionalEventData:MFAUsed == \"No\"",
>>> "score": 20,
>>> "reason": null
>>> }
>>> ],
>>>
>>> When I try to change the reason in the 2nd and 3rd from null to "No MFA
>>> used.", I get the error message: "Modified Sensor parser config but
>>> unable
>>> to save enrichment configuration: JSON.parse: unexpected end of data at
>>> line 1 column 1 of the JSON data" and the reason is reverted back to
>>> null.
>>> Changing other items in the above works fine.
>>>
>>> Any idea what might be going on?
>>>
>>>
