Stellar Examples
Stellar examples help to illustrate how you can use to Stellar statements to transform and enrich steaming data to identify suspicious behavior.
Let's consider a situation
where you have a message containing field ip_src_addr and you want to
determine if the src address is one of a few subnet ranges. You also want to store the
information in a variable called is_local:
is_local := IN_SUBNET( ip_src_addr, '192.168.0.0/16', '192.169.0.0/16')
Now, let's consider a situation where you want to determine if the top level domain of a
domain name, stored in a field called domain, is from a specific set of
whitelisted TLDs:
is_government := DOMAIN_TO_TLD(domain) in [ 'mil', 'gov' ]
Let’s assume further that the data coming in is known to be spotty with possible spaces and a dot at the end periodically due to a known upstream data ingest mistake. You can do that with three Stellar statements, the first two sanitizing the domain field and the final statement performing the whitelist check:
sanitized_domain := TRIM(domain) sanitized_domain := if ENDS_WITH(sanitized_domain, '.') then CHOP(sanitized_domain) else sanitized_domain is_government := DOMAIN_TO_TLD( sanitized_domain ) in [ 'mil', 'gov' ]
Now, let’s consider a situation where you have a blacklist of known malicious domains.
You can use the CCP data importer to store this data in HBase under the enrichment type
malicious_domains. As data streams by, you will want to indicate
whether a domain is malicious or not. Further, as before, you still have some ingestion
cruft to adjust:
sanitized_domain := TRIM(domain)
sanitized_domain := if ENDS_WITH(sanitized_domain, '.') then CHOP(sanitized_domain) else sanitized_domain
in_blacklist := ENRICHMENT_EXISTS('malicious_domains', sanitized_domains, 'enrichments', 't')
