in metron-platform/metron-enrichment/metron-enrichment-common/src/main/java/org/apache/metron/enrichment/utils/ThreatIntelUtils.java [75:136]
public static JSONObject triage(JSONObject ret, SensorEnrichmentConfig config, FunctionResolver functionResolver, Context stellarContext) {
LOG.trace("Received joined messages: {}", ret);
boolean isAlert = ret.containsKey("is_alert");
if(!isAlert) {
for (Object key : ret.keySet()) {
if (key.toString().startsWith("threatintels") && !key.toString().endsWith(".ts")) {
isAlert = true;
break;
}
}
}
else {
Object isAlertObj = ret.get("is_alert");
isAlert = ConversionUtils.convert(isAlertObj, Boolean.class);
if(!isAlert) {
ret.remove("is_alert");
}
}
if(isAlert) {
ret.put("is_alert" , "true");
String sourceType = MessageUtils.getSensorType(ret);
ThreatTriageConfig triageConfig = null;
if(config != null) {
triageConfig = config.getThreatIntel().getTriageConfig();
if(LOG.isDebugEnabled()) {
LOG.debug("{}: Found sensor enrichment config.", sourceType);
}
}
else {
LOG.debug("{}: Unable to find threat config.", sourceType );
}
if(triageConfig != null) {
if(LOG.isDebugEnabled()) {
LOG.debug("{}: Found threat triage config: {}", sourceType, triageConfig);
}
if(LOG.isDebugEnabled() && (triageConfig.getRiskLevelRules() == null || triageConfig.getRiskLevelRules().isEmpty())) {
LOG.debug("{}: Empty rules!", sourceType);
}
// triage the threat
ThreatTriageProcessor threatTriageProcessor = new ThreatTriageProcessor(config, functionResolver, stellarContext);
ThreatScore score = threatTriageProcessor.apply(ret);
if(LOG.isDebugEnabled()) {
String rules = Joiner.on('\n').join(triageConfig.getRiskLevelRules());
LOG.debug("Marked {} as triage level {} with rules {}", sourceType, score.getScore(),
rules);
}
// attach the triage threat score to the message
if(score.getRuleScores().size() > 0) {
appendThreatScore(score, ret);
}
}
else {
LOG.debug("{}: Unable to find threat triage config!", sourceType);
}
}
return ret;
}