Re: Not seeing any Metron alerts.

Probably, though there are things (unlikely things) you can do to templates that would prevent that. > On 26 Sep 2017, at 17:25, Laurens Vets wrote: > > Why would I need to update my ES template? I should see the field (possibly > with the wrong type) anyways in the event

Re: Not seeing any Metron alerts.

After setting is_alert to true, this field is now shown in my event in Kibana. I would expect there also to be a field "threat:triage:level" in those same events (if my rules work?) On 2017-09-25 16:46, zeo...@gmail.com wrote: > I was quickly reading through this on my mobile device so sorry if

Re: Not seeing any Metron alerts.

And, this PR just went into master. Hopefully this will help in the future. Let me know how I can make it better. On Mon, Sep 25, 2017 at 4:54 PM, Nick Allen wrote: > Just as a side note, based on PR #733 [1], you can also simulate/debug > these types of > ​Threat Triage ​

Re: Not seeing any Metron alerts.

the _score field is actually an elastic search matching score field, and is not relevant to metron. You should see the scores in the threat:triage:score field. However, your rules will only be run if the telemetry has is_alert set true, so you should ensure that the enrichment phase sets