Uploaded image for project: 'Metron (Retired)'
  1. Metron (Retired)
  2. METRON-2326

Unable to Call ENRICHMENT_GET from Threat Triage Rule Reason Field

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Done
    • None
    • Next + 1
    • None

    Description

      A Threat Triage Rule's "reason" field can contain executable Stellar to provide an operator context as to why a rule fired during Threat Triage.  I am unable to call any function that requires a StellarContext during initialization, from the 'Reason' field of a Threat Triage Rule.  For example, I cannot call `ENRICHMENT_GET`.

      Steps to Replicate

      1. Create a simple file called `user.csv`.

      [root@node1 ~]# cat user.csv
 jdoe,192.168.138.2
 jane,192.168.66.1
 ciana,192.168.138.158
 danixa,95.163.121.204
 jim,192.168.66.121

      2 . Create a file called `user-extractor.json`.

      {
 "config": {
 "columns": {
 "user": 0,
 "ip": 1
 },
 "indicator_column": "ip",
 "separator": ",",
 "type": "user"
 },
 "extractor": "CSV"
 }

      3. Import the enrichment data.

      source /etc/default/metron
 $METRON_HOME/bin/flatfile_loader.sh -i ./user.csv -t enrichment -c t -e ./user-extractor.json

      4. Validate that the enrichment loaded successfully.

       [root@node1 0.7.2]# source /etc/default/metron
 [root@node1 0.7.2]# $METRON_HOME/bin/stellar -z $ZOOKEEPER
 
 [Stellar]>>> ip_dst_addr := "192.168.138.2"
 192.168.138.2
 
 [Stellar]>>> ENRICHMENT_GET('user', ip_dst_addr, 'enrichment', 't')
 \{ip=192.168.138.2, user=jdoe}

      5. Create a threat triage rule that attempts an ENRICHMENT_GET.

       [Stellar]>>> conf := SHELL_EDIT()
 {
 "enrichment": {
 "fieldMap": {
 "stellar": {
 "config": {
 "is_alert": "true"
 }
 }
 },
 "fieldToTypeMap": {},
 "config": {}
 },
 "threatIntel": {
 "fieldMap": {},
 "fieldToTypeMap": {},
 "config": {},
 "triageConfig": {
 "riskLevelRules": [
 {
 "name": "Rule",
 "comment": "This rule does not work when executing the 'reason' field.",
 "rule": "true",
 "reason": "FORMAT('Call to ENRICHMENT_GET=%s', ENRICHMENT_GET('user', ip_dst_addr, 'enrichment', 't'))",
 "score": "100"
 }
 ],
 "aggregator": "MAX",
 "aggregationConfig": {}
 }
 },
 "configuration": {}
 }
 
 [Stellar]>>> CONFIG_PUT("ENRICHMENT", conf, "snort")

      6. The Storm worker logs for Enrichment show the following error.

       2019-11-21 03:54:34.370 o.a.c.f.r.c.TreeCache Curator-TreeCache-4 [ERROR]
 org.apache.metron.jackson.databind.JsonMappingException: Unable to find capability GLOBAL_CONFIG; it may not be available in your context.
 at [Source: java.io.ByteArrayInputStream@1f55bdda; line: 24, column: 11] (through reference chain: org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig["threatIntel"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatIntelConfig["triageConfig"]->org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig["riskLevelRules"])
 at org.apache.metron.jackson.databind.JsonMappingException.from(JsonMappingException.java:262) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:537) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:518) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:99) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:490) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3807) ~[stormjar.jar:?]
 at org.apache.metron.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2867) ~[stormjar.jar:?]
 at org.apache.metron.common.utils.JSONUtils.load(JSONUtils.java:111) ~[stormjar.jar:?]
 at org.apache.metron.common.configuration.EnrichmentConfigurations.updateSensorEnrichmentConfig(EnrichmentConfigurations.java:52) ~[stormjar.jar:?]
 at org.apache.metron.common.configuration.EnrichmentConfigurations.updateSensorEnrichmentConfig(EnrichmentConfigurations.java:48) ~[stormjar.jar:?]
 at org.apache.metron.common.zookeeper.configurations.EnrichmentUpdater.update(EnrichmentUpdater.java:75) ~[stormjar.jar:?]
 at org.apache.metron.common.zookeeper.configurations.ConfigurationsUpdater.update(ConfigurationsUpdater.java:71) ~[stormjar.jar:?]
 at org.apache.metron.zookeeper.SimpleEventListener.childEvent(SimpleEventListener.java:120) ~[stormjar.jar:?]
 at org.apache.curator.framework.recipes.cache.TreeCache$2.apply(TreeCache.java:685) [stormjar.jar:?]
 at org.apache.curator.framework.recipes.cache.TreeCache$2.apply(TreeCache.java:679) [stormjar.jar:?]
 at org.apache.curator.framework.listen.ListenerContainer$1.run(ListenerContainer.java:92) [stormjar.jar:?]
 at org.apache.metron.guava.enrichment.util.concurrent.MoreExecutors$SameThreadExecutorService.execute(MoreExecutors.java:253) [stormjar.jar:?]
 at org.apache.curator.framework.listen.ListenerContainer.forEach(ListenerContainer.java:84) [stormjar.jar:?]
 at org.apache.curator.framework.recipes.cache.TreeCache.callListeners(TreeCache.java:678) [stormjar.jar:?]
 at org.apache.curator.framework.recipes.cache.TreeCache.access$1400(TreeCache.java:69) [stormjar.jar:?]
 at org.apache.curator.framework.recipes.cache.TreeCache$4.run(TreeCache.java:790) [stormjar.jar:?]
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_112]
 at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_112]
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_112]
 at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_112]
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_112]
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_112]
 at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]
 Caused by: java.lang.IllegalStateException: Unable to find capability GLOBAL_CONFIG; it may not be available in your context.
 at org.apache.metron.stellar.dsl.Context.getCapability(Context.java:137) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.stellar.dsl.Context.getCapability(Context.java:127) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.stellar.dsl.Context.getCapability(Context.java:123) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.enrichment.stellar.SimpleHBaseEnrichmentFunctions.getConfig(SimpleHBaseEnrichmentFunctions.java:92) ~[stormjar.jar:?]
 at org.apache.metron.enrichment.stellar.SimpleHBaseEnrichmentFunctions.access$100(SimpleHBaseEnrichmentFunctions.java:45) ~[stormjar.jar:?]
 at org.apache.metron.enrichment.stellar.SimpleHBaseEnrichmentFunctions$EnrichmentGet.initialize(SimpleHBaseEnrichmentFunctions.java:259) ~[stormjar.jar:?]
 at org.apache.metron.stellar.common.StellarCompiler.initializeFunction(StellarCompiler.java:708) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.stellar.common.StellarCompiler.lambda$exitTransformationFunc$13(StellarCompiler.java:660) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.stellar.common.StellarCompiler$Expression.apply(StellarCompiler.java:259) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:151) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:254) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:216) ~[dep-stellar-common-0.7.2-uber-6a2d9ba0-aca2-4b12-b13f-7fd624e30017.jar.1574283953000:?]
 at org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:69) ~[stormjar.jar:?]
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_112]
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_112]
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112]
 at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112]
 at org.apache.metron.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:97) ~[stormjar.jar:?]

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #1570

          Activity

            People

              nickwallen Nick Allen
              nickwallen Nick Allen
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 10m
                  1h 10m