Skip to content

Instantly share code, notes, and snippets.

@nickwallen

nickwallen/Foo.md

Created September 5, 2017 20:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nickwallen/6e3eefc76fb58847efcc918bf37ccd19 to your computer and use it in GitHub Desktop.
Save nickwallen/6e3eefc76fb58847efcc918bf37ccd19 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Foo.md

Troubleshooting issues when programming against a live stream of data is difficult. It would be useful to have a means to run the entire threat triage process within the REPL before deploying your rule set on a Metron cluster. This creates a set of functions to allow simulation of Threat Triage inside of the Stellar REPL. This is useful for creating new triage rules, debugging existing triage rules, and to iterate quickly when testing rule sets.

Changes

Created the following new functions.

  • THREAT_TRIAGE_INIT
  • THREAT_TRIAGE_SCORE
  • THREAT_TRIAGE_CONFIG

Modified these functions to preserve existing functionality, along with enhancing them to work with the newly created functions.

  • THREAT_TRIAGE_PRINT
  • THREAT_TRIAGE_ADD
  • THREAT_TRIAGE_REMOVE
  • THREAT_TRIAGE_SET_AGGREGATOR

Testing

The following shows how the new functions can be used.

  1. Create a threat triage engine.

    [Stellar]>>> t := THREAT_TRIAGE_INIT()
[Stellar]>>> t
ThreatTriage{0 rule(s)}

  2. Add a few triage rules.

    [Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule1", "rule":"value>10", "score":10})
{
  "enrichment" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { }
  },
  "threatIntel" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : [ {
        "name" : "rule1",
        "rule" : "value>10",
        "score" : 10.0
      } ],
      "aggregator" : "MAX",
      "aggregationConfig" : { }
    }
  },
  "configuration" : { }
}

    [Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule2", "rule":"value>20", "score":20})
{
  "enrichment" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { }
  },
  "threatIntel" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : [ {
        "name" : "rule1",
        "rule" : "value>10",
        "score" : 10.0
      }, {
        "name" : "rule2",
        "rule" : "value>20",
        "score" : 20.0
      } ],
      "aggregator" : "MAX",
      "aggregationConfig" : { }
    }
  },
  "configuration" : { }
}

    [Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule3", "rule":"value>30", "score":30})
{
  "enrichment" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { }
  },
  "threatIntel" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : [ {
        "name" : "rule1",
        "rule" : "value>10",
        "score" : 10.0
      }, {
        "name" : "rule2",
        "rule" : "value>20",
        "score" : 20.0
      }, {
        "name" : "rule3",
        "rule" : "value>30",
        "score" : 30.0
      } ],
      "aggregator" : "MAX",
      "aggregationConfig" : { }
    }
  },
  "configuration" : { }
}

  3. Review the rules that you have created.

    [Stellar]>>> THREAT_TRIAGE_PRINT(t)
╔═══════╤═════════╤═════════════╤═══════╤════════╗
║ Name  │ Comment │ Triage Rule │ Score │ Reason ║
╠═══════╪═════════╪═════════════╪═══════╪════════╣
║ rule1 │         │ value>10    │ 10    │        ║
╟───────┼─────────┼─────────────┼───────┼────────╢
║ rule2 │         │ value>20    │ 20    │        ║
╟───────┼─────────┼─────────────┼───────┼────────╢
║ rule3 │         │ value>30    │ 30    │        ║
╚═══════╧═════════╧═════════════╧═══════╧════════╝

  4. Create a few test messages to simulate your telemetry.

    [Stellar]>>> msg1 := "{ \"value\":22 }"
[Stellar]>>> msg1
{ "value":22 }

    [Stellar]>>> msg2 := "{ \"value\":44 }"
[Stellar]>>> msg2
{ "value":44 }

  5. Score a message based on the rules that have been defined. The result allows you to see the total score, the aggregator, along with details about each rule that fired.

    [Stellar]>>> THREAT_TRIAGE_SCORE( msg1, t)
{score=20.0, aggregator=MAX, rules=[{score=10.0, name=rule1, rule=value>10}, {score=20.0, name=rule2, rule=value>20}]}

    [Stellar]>>> THREAT_TRIAGE_SCORE( msg2, t)
{score=30.0, aggregator=MAX, rules=[{score=10.0, name=rule1, rule=value>10}, {score=20.0, name=rule2, rule=value>20}, {score=30.0, name=rule3, rule=value>30}]}

  6. Now that I know the rule set has worked well, I can extract the configuration and push it into my live, Metron cluster.

    [Stellar]>>> conf := THREAT_TRIAGE_CONFIG( t)
[Stellar]>>> conf
{
  "enrichment" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { }
  },
  "threatIntel" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : [ {
        "name" : "rule1",
        "rule" : "value>10",
        "score" : 10.0
      }, {
        "name" : "rule2",
        "rule" : "value>20",
        "score" : 20.0
      }, {
        "name" : "rule3",
        "rule" : "value>30",
        "score" : 30.0
      }],
      "aggregator" : "MAX",
      "aggregationConfig" : { }
    }
  },
  "configuration" : { }
}

    [Stellar]>>> CONFIG_PUT("ENRICHMENT", conf, "bro")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment