Re: Threat triage rules using stellar geo enrichment
A much better way of doing this is to run the geo enrichment as part of the regular enrichment process and then just use the output field for the rule. Your config already does this, so your rule is in effect running the same enrichment twice. Just use enrichments.geo.ip_dst_addr.country != ‘US’ for a significantly simpler and more performant rule. Simon > On 8 Aug 2017, at 14:47, Anand Subramanian <asubraman...@hortonworks.com> > wrote: > > Thank you, Casey. That worked! > > Regards, > Anand > > From: Casey Stella <ceste...@gmail.com <mailto:ceste...@gmail.com>> > Reply-To: "user@metron.apache.org <mailto:user@metron.apache.org>" > <user@metron.apache.org <mailto:user@metron.apache.org>> > Date: Tuesday, August 8, 2017 at 7:12 PM > To: "user@metron.apache.org <mailto:user@metron.apache.org>" > <user@metron.apache.org <mailto:user@metron.apache.org>> > Subject: Re: Threat triage rules using stellar geo enrichment > > I think you want: > GEO_GET( ip_dst_addr, ['country']) != 'US' > > > On Tue, Aug 8, 2017 at 7:29 AM, Anand Subramanian > <asubraman...@hortonworks.com <mailto:asubraman...@hortonworks.com>> wrote: > Hello All, > > I am trying to write a triage rule where I would like to set the alert score > based on Geo enrichment output, as follows. > > $ cat $METRON_HOME/config/zookeeper/enrichments/snort.json > { > "enrichment" : { > "fieldMap": > { > "geo": ["ip_dst_addr", "ip_src_addr"], > "host": ["host"] > } > }, > "threatIntel" : { > "fieldMap": > { > "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"] > }, > "fieldToTypeMap": > { > "ip_src_addr" : ["malicious_ip"], > "ip_dst_addr" : ["malicious_ip"] > }, > "triageConfig" : { > "riskLevelRules" : [ > { > "name" : "Rule 1", > "rule" : "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24') > <http://192.168.0.0/24')>)", > "score" : 10 > }, > { > "name" : "Rule 2", > "rule" : "not(GEO_GET(ip_dst_addr, '[country]'), 'US')", > "score" : 20 > } > ], > "aggregator" : "MAX" > } > } > } > > But I am getting the following error when trying to push the configuration > into zookeeper: > > Exception in thread "main" java.lang.RuntimeException: Unable to load { > "enrichment" : { > "fieldMap": > { > "geo": ["ip_dst_addr", "ip_src_addr"], > "host": ["host"] > } > > at > org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:54) > at > org.apache.metron.common.configuration.ConfigurationType.deserialize(ConfigurationType.java:93) > at > org.apache.metron.common.configuration.ConfigurationsUtils.writeSensorEnrichmentConfigToZookeeper(ConfigurationsUtils.java:123) > at > org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:265) > at > org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:226) > at > org.apache.metron.common.cli.ConfigurationManager.push(ConfigurationManager.java:155) > at > org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:170) > at > org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:161) > at > org.apache.metron.common.cli.ConfigurationManager.main(ConfigurationManager.java:198) > Caused by: org.apache.metron.jackson.databind.JsonMappingException: N/A > at [Source: { > > } > ; line: 31, column: 7] (through reference chain: > org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig["threatIntel"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig["riskLevelRules"]) > at > org.apache.metron.jackson.databind.JsonMappingException.from(JsonMappingException.java:262) > at > org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:537) > at > org.apache.metron.jackson.databind.d
Re: Threat triage rules using stellar geo enrichment
Thank you, Casey. That worked! Regards, Anand From: Casey Stella <ceste...@gmail.com<mailto:ceste...@gmail.com>> Reply-To: "user@metron.apache.org<mailto:user@metron.apache.org>" <user@metron.apache.org<mailto:user@metron.apache.org>> Date: Tuesday, August 8, 2017 at 7:12 PM To: "user@metron.apache.org<mailto:user@metron.apache.org>" <user@metron.apache.org<mailto:user@metron.apache.org>> Subject: Re: Threat triage rules using stellar geo enrichment I think you want: GEO_GET( ip_dst_addr, ['country']) != 'US' On Tue, Aug 8, 2017 at 7:29 AM, Anand Subramanian <asubraman...@hortonworks.com<mailto:asubraman...@hortonworks.com>> wrote: Hello All, I am trying to write a triage rule where I would like to set the alert score based on Geo enrichment output, as follows. $ cat $METRON_HOME/config/zookeeper/enrichments/snort.json { "enrichment" : { "fieldMap": { "geo": ["ip_dst_addr", "ip_src_addr"], "host": ["host"] } }, "threatIntel" : { "fieldMap": { "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"] }, "fieldToTypeMap": { "ip_src_addr" : ["malicious_ip"], "ip_dst_addr" : ["malicious_ip"] }, "triageConfig" : { "riskLevelRules" : [ { "name" : "Rule 1", "rule" : "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24')<http://192.168.0.0/24')>)", "score" : 10 }, { "name" : "Rule 2", "rule" : "not(GEO_GET(ip_dst_addr, '[country]'), 'US')", "score" : 20 } ], "aggregator" : "MAX" } } } But I am getting the following error when trying to push the configuration into zookeeper: Exception in thread "main" java.lang.RuntimeException: Unable to load { "enrichment" : { "fieldMap": { "geo": ["ip_dst_addr", "ip_src_addr"], "host": ["host"] } at org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:54) at org.apache.metron.common.configuration.ConfigurationType.deserialize(ConfigurationType.java:93) at org.apache.metron.common.configuration.ConfigurationsUtils.writeSensorEnrichmentConfigToZookeeper(ConfigurationsUtils.java:123) at org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:265) at org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:226) at org.apache.metron.common.cli.ConfigurationManager.push(ConfigurationManager.java:155) at org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:170) at org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:161) at org.apache.metron.common.cli.ConfigurationManager.main(ConfigurationManager.java:198) Caused by: org.apache.metron.jackson.databind.JsonMappingException: N/A at [Source: { } ; line: 31, column: 7] (through reference chain: org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig["threatIntel"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig["riskLevelRules"]) at org.apache.metron.jackson.databind.JsonMappingException.from(JsonMappingException.java:262) at org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:537) at org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:518) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:99) at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) at org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) at org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490) at org.apache.metron.jackson.databind.deser.impl