Oh, I didn't know I had to set is_alert to True.
Doesn't that mean that we have to add all rules twice? First to check
whether is_alert needs to be set to True. Next to apply the actual
scores?
On 2017-09-25 11:00, Simon Elliston Ball wrote:
the _score field is actually an elastic search matching score field,
and is not relevant to metron. You should see the scores in the
threat:triage:score field. However, your rules will only be run if the
telemetry has is_alert set true, so you should ensure that the
enrichment phase sets is_alert: true somewhere for alerts you want to
go to triage?
Simon
On 25 Sep 2017, at 18:46, Laurens Vets <laur...@daemon.be> wrote:
I have the following configuration:
"threatIntel": {
"fieldMap": {},
"fieldToTypeMap": {},
"config": {},
"triageConfig": {
"riskLevelRules": [
{
"name": "Rule1",
"comment": "Checks whatever 1.",
"rule": "test == \"false\"",
"score": 20,
"reason": null
},
{
"name": "Rule1",
"comment": "Checks whatever 2.",
"rule": "test2 == \"False\"",
"score": 20,
"reason": null
},
{
"name": "Rule3",
"comment": "Checks whatever 2.",
"rule": "test3 == \"No\"",
"score": 20,
"reason": null
}
],
"aggregator": "SUM",
"aggregationConfig": {}
}
},
I have no additional configuration in enrichment besides filling a
specific with true or false based on a Stellar expression.
I expected that when events would match my above rules, the _score
field would be filled in. That does not seem to be the case.
Does anyone know what I might be missing?
