METRON-685 Scores in Threat Triage should be a Stellar Statement

[nickwallen]

Allows a threat triage rule's score to be expressed as either a numeric value or a Stellar expression.

• The change is backwards compatible. Users will not have to alter their existing triage rules.

• The 'score' expression has access to all of the fields contained within the message being triaged.

Testing

1. Create a threat triage engine.

   [Stellar]>>> t := THREAT_TRIAGE_INIT()
   [Stellar]>>> t
   ThreatTriage{0 rule(s)}
   

2. Add a triage rule that uses a simple numeric score. This is the existing behavior that continues to be supported.

   [Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule1", "rule":"value>10", "score":10})
   

3. Add another triage rule that uses a score expression. This will simply make the score 10 times the value contained in the message.

   [Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule2", "rule":"value>20", "score":"value*10"})
   

4. Review the rules that you have created.

   [Stellar]>>> THREAT_TRIAGE_PRINT(t)
   ╔═══════╤═════════╤═════════════╤══════════╤════════╗
   ║ Name  │ Comment │ Triage Rule │ Score    │ Reason ║
   ╠═══════╪═════════╪═════════════╪══════════╪════════╣
   ║ rule1 │         │ value>10    │ 10       │        ║
   ╟───────┼─────────┼─────────────┼──────────┼────────╢
   ║ rule2 │         │ value>20    │ value*10 │        ║
   ╚═══════╧═════════╧═════════════╧══════════╧════════╝
   

5. Create a few test messages to simulate your telemetry.

   [Stellar]>>> msg1 := "{ \"value\":22 }"
   [Stellar]>>> msg1
   { "value":22 }
   

   [Stellar]>>> msg2 := "{ \"value\":44 }"
   [Stellar]>>> msg2
   { "value":44 }
   

6. Score a message based on the rules that have been defined. The result allows you to see the total score, the aggregator, along with details about each rule that fired.

   [Stellar]>>> THREAT_TRIAGE_SCORE( msg1, t)
   {score=220.0, aggregator=MAX, rules=[{score=10, name=rule1, rule=value>10}, {score=value*10, name=rule2, rule=value>20}]}
   

   [Stellar]>>> THREAT_TRIAGE_SCORE( msg2, t)
   {score=440.0, aggregator=MAX, rules=[{score=10, name=rule1, rule=value>10}, {score=value*10, name=rule2, rule=value>20}]}
   

Pull Request Checklist

• Is there a JIRA ticket associated with this PR? If not one needs to be created at Metron Jira.
• Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
• Has your PR been rebased against the latest commit within the target branch (typically master)?
• Have you included steps to reproduce the behavior or problem that is being changed or addressed?
• Have you included steps or a guide to how the change may be verified and tested manually?
• Have you ensured that the full suite of tests and checks have been executed in the root metron folder via
• Have you written or updated unit tests and or integration tests to verify your changes?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?

[ottobackwards]

@nickwallen, i just did a clean checkout of your pr ( in tmp dir, not my repo ), and did vagrant up which worked.
When I try to run stellar, is see this:

[vagrant@node1 ~]$ cd /usr/metron/0.7.0/bin/
[vagrant@node1 bin]$ ./stellar
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/metron/0.7.0/lib/metron-profiler-repl-0.7.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/2.6.5.0-292/hadoop/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Exception in thread "main" java.lang.NoClassDefFoundError: oi/thekraken/grok/api/exception/GrokException
	at java.lang.Class.getDeclaredConstructors0(Native Method)
	at java.lang.Class.privateGetDeclaredConstructors(Class.java:2671)
	at java.lang.Class.getConstructor0(Class.java:3075)
	at java.lang.Class.getConstructor(Class.java:1825)
	at org.apache.metron.stellar.dsl.functions.resolver.BaseFunctionResolver.createFunction(BaseFunctionResolver.java:238)
	at org.apache.metron.stellar.dsl.functions.resolver.BaseFunctionResolver.resolveFunction(BaseFunctionResolver.java:192)
	at org.apache.metron.stellar.dsl.functions.resolver.BaseFunctionResolver.resolveFunctions(BaseFunctionResolver.java:164)
	at org.apache.metron.guava.base.Suppliers$MemoizingSupplier.get(Suppliers.java:125)
	at org.apache.metron.stellar.dsl.functions.resolver.BaseFunctionResolver.getFunctionInfo(BaseFunctionResolver.java:84)
	at org.apache.metron.stellar.common.shell.DefaultStellarShellExecutor.init(DefaultStellarShellExecutor.java:177)
	at org.apache.metron.stellar.common.shell.cli.StellarShell.createExecutor(StellarShell.java:268)
	at org.apache.metron.stellar.common.shell.cli.StellarShell.<init>(StellarShell.java:154)
	at org.apache.metron.stellar.common.shell.cli.StellarShell.main(StellarShell.java:115)
Caused by: java.lang.ClassNotFoundException: oi.thekraken.grok.api.exception.GrokException
	at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	... 13 more

[ottobackwards]

How are you running it

[nickwallen]

I spun it up in Full Dev from my feature branch. No libraries or dependencies changed, so maybe this is something that is already in master. I'll take a look.

[nickwallen]

Usually I run as root in Full Dev. Any difference if you start stellar as 'root'?

[ottobackwards]

let me try

[ottobackwards]

same issue running as root using sudo su - to get there

[nickwallen]

I'll spin it up again and try to replicate. Thanks for giving it a go.

[ottobackwards]

I don't know how grok came into this.

[nickwallen]

Yes, this is an issue in master. I opened a JIRA and am working on a fix.

• https://issues.apache.org/jira/browse/METRON-1953
• METRON-1953 Stellar REPL Fails on Start #1312

Glad you found that.

[ottobackwards]

@nickwallen stellar is still crashing for me. You changed the metron-common script, but https://github.com/apache/metron/tree/master/metron-stellar/stellar-common/src/main/scripts/deployed is the script I think you need to change. I'm pretty sure I verified your first fix, and then you made the parsers->parsing change after.

I'm going to test after manually changing the stellar file.

[ottobackwards]

After making the changes, everything works as described in the steps. I'll try to do a code review.

[ottobackwards]

In the code, if find the use of score to be confusing. Sometimes it is a String, sometimes it is a number. Can we disambiguate this?

[nickwallen]

Hi @ottobackwards, I will need to merge master into this PR to take advantage of #1312. I am traveling right now, but will do so when I return.

Since #1312 was merged I am assuming this is no longer a problem in master. Let me know if that is incorrect.

[nickwallen]

@ottobackwards I addressed your feedback. Ran it up again and re-tested just to be sure.

[root@node1 0.7.0]# cat triage-test.stellar
t := THREAT_TRIAGE_INIT()
THREAT_TRIAGE_ADD(t, {"name":"rule1", "rule":"value>10", "score":10})
THREAT_TRIAGE_ADD(t, {"name":"rule2", "rule":"value>20", "score":"value*10"})
THREAT_TRIAGE_PRINT(t)
msg1 := "{ \"value\":22 }"
msg2 := "{ \"value\":44 }"
THREAT_TRIAGE_SCORE( msg1, t)
THREAT_TRIAGE_SCORE( msg2, t)

[root@node1 0.7.0]# cat triage-test.stellar | bin/stellar
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/metron/0.7.0/lib/metron-profiler-repl-0.7.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/2.6.5.0-292/hadoop/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Stellar, Go!
Functions are loading lazily in the background and will be unavailable until loaded fully.
{}
[Stellar]>>> t := THREAT_TRIAGE_INIT()
ThreatTriage{0 rule(s)}
[Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule1", "rule":"value>10", "score":10})
{
  "enrichment" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { }
  },
  "threatIntel" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : [ {
        "name" : "rule1",
        "rule" : "value>10",
        "score" : "10"
      } ],
      "aggregator" : "MAX",
      "aggregationConfig" : { }
    }
  },
  "configuration" : { }
}
[Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule2", "rule":"value>20", "score":"value*10"})
{
  "enrichment" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { }
  },
  "threatIntel" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : [ {
        "name" : "rule1",
        "rule" : "value>10",
        "score" : "10"
      }, {
        "name" : "rule2",
        "rule" : "value>20",
        "score" : "value*10"
      } ],
      "aggregator" : "MAX",
      "aggregationConfig" : { }
    }
  },
  "configuration" : { }
}
[Stellar]>>> THREAT_TRIAGE_PRINT(t)
╔═══════╤═════════╤═════════════╤══════════╤════════╗
║ Name  │ Comment │ Triage Rule │ Score    │ Reason ║
╠═══════╪═════════╪═════════════╪══════════╪════════╣
║ rule1 │         │ value>10    │ 10       │        ║
╟───────┼─────────┼─────────────┼──────────┼────────╢
║ rule2 │         │ value>20    │ value*10 │        ║
╚═══════╧═════════╧═════════════╧══════════╧════════╝
Aggregation: MAX
[Stellar]>>> msg1 := "{ \"value\":22 }"
{ "value":22 }
[Stellar]>>> msg2 := "{ \"value\":44 }"
{ "value":44 }
[Stellar]>>> THREAT_TRIAGE_SCORE( msg1, t)
{score=220.0, aggregator=MAX, rules=[{score=10, name=rule1, rule=value>10}, {score=value*10, name=rule2, rule=value>20}]}
[Stellar]>>> THREAT_TRIAGE_SCORE( msg2, t)
{score=440.0, aggregator=MAX, rules=[{score=10, name=rule1, rule=value>10}, {score=value*10, name=rule2, rule=value>20}]}
[Stellar]>>>
[Stellar]>>>

[ottobackwards]

This is great work @nickwallen +1