Just perfect! Thanks much, Simon. Cheers Anand
From: Simon Elliston Ball <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, August 8, 2017 at 7:35 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Threat triage rules using stellar geo enrichment A much better way of doing this is to run the geo enrichment as part of the regular enrichment process and then just use the output field for the rule. Your config already does this, so your rule is in effect running the same enrichment twice. Just use enrichments.geo.ip_dst_addr.country != ‘US’ for a significantly simpler and more performant rule. Simon On 8 Aug 2017, at 14:47, Anand Subramanian <[email protected]<mailto:[email protected]>> wrote: Thank you, Casey. That worked! Regards, Anand From: Casey Stella <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, August 8, 2017 at 7:12 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Threat triage rules using stellar geo enrichment I think you want: GEO_GET( ip_dst_addr, ['country']) != 'US' On Tue, Aug 8, 2017 at 7:29 AM, Anand Subramanian <[email protected]<mailto:[email protected]>> wrote: Hello All, I am trying to write a triage rule where I would like to set the alert score based on Geo enrichment output, as follows. $ cat $METRON_HOME/config/zookeeper/enrichments/snort.json { "enrichment" : { "fieldMap": { "geo": ["ip_dst_addr", "ip_src_addr"], "host": ["host"] } }, "threatIntel" : { "fieldMap": { "hbaseThreatIntel": ["ip_src_addr", "ip_dst_addr"] }, "fieldToTypeMap": { "ip_src_addr" : ["malicious_ip"], "ip_dst_addr" : ["malicious_ip"] }, "triageConfig" : { "riskLevelRules" : [ { "name" : "Rule 1", "rule" : "not(IN_SUBNET(ip_dst_addr, '192.168.0.0/24')<http://192.168.0.0/24')>)", "score" : 10 }, { "name" : "Rule 2", "rule" : "not(GEO_GET(ip_dst_addr, '[country]'), 'US')", "score" : 20 } ], "aggregator" : "MAX" } } } But I am getting the following error when trying to push the configuration into zookeeper: Exception in thread "main" java.lang.RuntimeException: Unable to load { "enrichment" : { "fieldMap": { "geo": ["ip_dst_addr", "ip_src_addr"], "host": ["host"] } <snip> at org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:54) at org.apache.metron.common.configuration.ConfigurationType.deserialize(ConfigurationType.java:93) at org.apache.metron.common.configuration.ConfigurationsUtils.writeSensorEnrichmentConfigToZookeeper(ConfigurationsUtils.java:123) at org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:265) at org.apache.metron.common.configuration.ConfigurationsUtils.uploadConfigsToZookeeper(ConfigurationsUtils.java:226) at org.apache.metron.common.cli.ConfigurationManager.push(ConfigurationManager.java:155) at org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:170) at org.apache.metron.common.cli.ConfigurationManager.run(ConfigurationManager.java:161) at org.apache.metron.common.cli.ConfigurationManager.main(ConfigurationManager.java:198) Caused by: org.apache.metron.jackson.databind.JsonMappingException: N/A at [Source: { <snip> } ; line: 31, column: 7] (through reference chain: org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig["threatIntel"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig["riskLevelRules"]) at org.apache.metron.jackson.databind.JsonMappingException.from(JsonMappingException.java:262) at org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:537) at org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:518) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:99) at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) at org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) at org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) at org.apache.metron.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3807) at org.apache.metron.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2797) at org.apache.metron.common.utils.JSONUtils.load(JSONUtils.java:65) at org.apache.metron.common.configuration.ConfigurationType.lambda$static$2(ConfigurationType.java:52) ... 8 more Caused by: org.antlr.v4.runtime.NoViableAltException at org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894) at org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498) at org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424) at org.apache.metron.stellar.common.generated.StellarParser.transformation_expr(StellarParser.java:287) at org.apache.metron.stellar.common.generated.StellarParser.transformation(StellarParser.java:154) at org.apache.metron.stellar.common.BaseStellarProcessor.compile(BaseStellarProcessor.java:184) at org.apache.metron.stellar.common.BaseStellarProcessor.lambda$parse$1(BaseStellarProcessor.java:146) at org.apache.metron.guava.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4739) at org.apache.metron.guava.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524) at org.apache.metron.guava.cache.LocalCache$Segment.loadSync(LocalCache.java:2317) at org.apache.metron.guava.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2280) at org.apache.metron.guava.cache.LocalCache$Segment.get(LocalCache.java:2195) at org.apache.metron.guava.cache.LocalCache.get(LocalCache.java:3934) at org.apache.metron.guava.cache.LocalCache$LocalManualCache.get(LocalCache.java:4736) at org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:146) at org.apache.metron.stellar.common.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:60) at org.apache.metron.stellar.common.StellarPredicateProcessor.parse(StellarPredicateProcessor.java:37) at org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:237) at org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199) at org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:61) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:97) ... 22 more Could someone please point out the error with my configuration? Note that I have tested the GEO_GET expression on the stellar shell and it works fine. Thanks, Anand
