Sure, I understand. I just did that so others have an example to work with for future reference.
On Tue, Oct 3, 2017 at 11:49 AM, Laurens Vets <laur...@daemon.be> wrote: > Thanks Nick! I'm still on 0.4.1-release, so I haven't had a chance to play > with your additional THREAT_TRIAGE_* things. > > > On 2017-10-03 08:40, Nick Allen wrote: > >> Laurens - >> >> The problem is that we expect a Stellar expression for the "reason" field. >> What you are providing is a string that is not a valid Stellar expression. >> For it to be a valid expression you need to add another set of quotes to >> make it a Stellar string; " 'No MFA used.' ". >> >> I definitely see how this can be confusing. Here is a REPL session of me >> working through the problem. I can see that there is clearly a problem >> using the REPL. >> >> (1) Create the rule set that you mentioned in your email. >> >> [Stellar]>>> input := SHELL_EDIT(input) >> >> [Stellar]>>> input >> >> [ >> >> { >> >> "name": "Not WORK", >> >> "comment": "Checks whether the field is_work is true or >> false.", >> >> "rule": "is_work == false", >> >> "score": 20, >> >> "reason": "FORMAT('%s is not a WORK network!', >> sourceIPAddress)" >> >> }, >> >> { >> >> "name": "MFA", >> >> "comment": "Checks whether MFA used or not.", >> >> "rule": >> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"", >> >> "score": 20, >> >> "reason": "No MFA used." >> >> }, >> >> { >> >> "name": "MFA2", >> >> "comment": "Checks whether MFA used or not.", >> >> "rule": "additionalEventData:MFAUsed == \"No\"", >> >> "score": 20, >> >> "reason": "No MFA used." >> >> } >> >> ] >> >> [Stellar]>>> rules := TO_JSON_LIST(input) >> >> >> (2) Initialize the threat triage engine and add the rules. >> >> >> [Stellar]>>> t := THREAT_TRIAGE_INIT() >> >> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules) >> >> [!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to: >> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no >> viable >> alternative at input 'NoMFA' >> >> org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA >> used.: >> Unable to parse: No MFA used. due to: >> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no >> viable >> alternative at input 'NoMFA' >> >> at >> org.apache.metron.stellar.common.BaseStellarProcessor.valida >> te(BaseStellarProcessor.java:240) >> >> at >> org.apache.metron.stellar.common.BaseStellarProcessor.valida >> te(BaseStellarProcessor.java:199) >> >> at >> org.apache.metron.common.configuration.enrichment.threatinte >> l.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63) >> >> at >> org.apache.metron.management.ThreatTriageFunctions$AddStella >> rTransformation.apply(ThreatTriageFunctions.java:346) >> >> at >> org.apache.metron.stellar.common.StellarCompiler.lambda$exit >> TransformationFunc$13(StellarCompiler.java:570) >> >> at >> org.apache.metron.stellar.common.StellarCompiler$Expression. >> apply(StellarCompiler.java:169) >> >> at >> org.apache.metron.stellar.common.BaseStellarProcessor.parse( >> BaseStellarProcessor.java:152) >> >> at >> org.apache.metron.stellar.common.shell.StellarExecutor.execu >> te(StellarExecutor.java:292) >> >> at >> org.apache.metron.stellar.common.shell.StellarShell.handleSt >> ellar(StellarShell.java:277) >> >> at >> org.apache.metron.stellar.common.shell.StellarShell.execute( >> StellarShell.java:509) >> >> at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53) >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> >> at java.lang.Thread.run(Thread.java:745) >> >> Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to parse: >> No MFA used. due to: org.apache.metron.stellar.dsl.ParseException: Syntax >> error @ 1:3 no viable ... >> >> >> (3) Clearly there is a problem. I then edited the input to add the quotes >> as I suggested. >> >> >> [Stellar]>>> input := SHELL_EDIT(input) >> >> [Stellar]>>> input >> >> [ >> >> { >> >> "name": "Not WORK", >> >> "comment": "Checks whether the field is_work is true or >> false.", >> >> "rule": "is_work == false", >> >> "score": 20, >> >> "reason": "FORMAT('%s is not a WORK network!', >> sourceIPAddress)" >> >> }, >> >> { >> >> "name": "MFA", >> >> "comment": "Checks whether MFA used or not.", >> >> "rule": >> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"", >> >> "score": 20, >> >> "reason": "'No MFA used.'" >> >> }, >> >> { >> >> "name": "MFA2", >> >> "comment": "Checks whether MFA used or not.", >> >> "rule": "additionalEventData:MFAUsed == \"No\"", >> >> "score": 20, >> >> "reason": "'No MFA used.'" >> >> } >> >> ] >> >> [Stellar]>>> rules := TO_JSON_LIST(input) >> >> >> >> (4) >> Again, i >> nitialize the threat triage engine and add the rules. >> >> >> [Stellar]>>> t := THREAT_TRIAGE_INIT() >> >> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules) >> >> { >> >> "enrichment" : { >> >> "fieldMap" : { }, >> >> "fieldToTypeMap" : { }, >> >> "config" : { } >> >> }, >> >> "threatIntel" : { >> >> "fieldMap" : { }, >> >> "fieldToTypeMap" : { }, >> >> "config" : { }, >> >> "triageConfig" : { >> >> "riskLevelRules" : [ { >> >> "name" : "Not WORK", >> >> "comment" : "Checks whether the field is_work is true or false.", >> >> "rule" : "is_work == false", >> >> "score" : 20.0, >> >> "reason" : "FORMAT('%s is not a WORK network!', sourceIPAddress)" >> >> }, { >> >> "name" : "MFA", >> >> "comment" : "Checks whether MFA used or not.", >> >> "rule" : "userIdentity:sessionContext:attributes:mfaAuthenticated >> == \"False\"", >> >> "score" : 20.0, >> >> "reason" : "'No MFA used.'" >> >> }, { >> >> "name" : "MFA2", >> >> "comment" : "Checks whether MFA used or not.", >> >> "rule" : "additionalEventData:MFAUsed == \"No\"", >> >> "score" : 20.0, >> >> "reason" : "'No MFA used.'" >> >> } ], >> >> "aggregator" : "MAX", >> >> "aggregationConfig" : { } >> >> } >> >> }, >> >> "configuration" : { } >> >> } >> >> >> (5) As you can see the rules are now valid; no more exceptions. From here >> you could score some mock telemetry to validate your rule set further. >> >> >> Hope this helps. >> >> On Thu, Sep 28, 2017 at 12:42 PM, Laurens Vets <laur...@daemon.be> wrote: >> >> I have the following riskLevelRules: >>> >>> "riskLevelRules": [ >>> { >>> "name": "Not WORK", >>> "comment": "Checks whether the field is_work is true or >>> false.", >>> "rule": "is_work == false", >>> "score": 20, >>> "reason": "FORMAT('%s is not a WORK network!', >>> sourceIPAddress)" >>> }, >>> { >>> "name": "MFA", >>> "comment": "Checks whether MFA used or not.", >>> "rule": "userIdentity:sessionContext:a >>> ttributes:mfaAuthenticated >>> == \"False\"", >>> "score": 20, >>> "reason": null >>> }, >>> { >>> "name": "MFA2", >>> "comment": "Checks whether MFA used or not.", >>> "rule": "additionalEventData:MFAUsed == \"No\"", >>> "score": 20, >>> "reason": null >>> } >>> ], >>> >>> When I try to change the reason in the 2nd and 3rd from null to "No MFA >>> used.", I get the error message: "Modified Sensor parser config but >>> unable >>> to save enrichment configuration: JSON.parse: unexpected end of data at >>> line 1 column 1 of the JSON data" and the reason is reverted back to >>> null. >>> Changing other items in the above works fine. >>> >>> Any idea what might be going on? >>> >>>