Just as a side note, based on PR #733 [1], you can also simulate/debug
these types of
Threat Triage
rules
directly
in the Stellar REPL.
(1) There are a few different Threat Triage functions that you can use.
Feel free to explore each.
[Stellar]>>> %functions THREAT
THREAT_TRIAGE_ADD, THREAT_TRIAGE_CONFIG, THREAT_TRIAGE_INIT,
THREAT_TRIAGE_PRINT, THREAT_TRIAGE_REMOVE, THREAT_TRIAGE_SCORE,
THREAT_TRIAGE_SET_AGGREGATOR
(2) Mock-up a telemetry message that we will triage and score.
[Stellar]>>> msg := SHELL_EDIT()
[Stellar]>>> msg
{
"test3": "No"
}
(
3
) I
copied
the rules that you included in your email.
You can either pass in the entire configuration like this or build up
the rule set incrementally using THREAT_TRIAGE_ADD.
[Stellar]>>> conf := SHELL_EDIT()
[Stellar]>>> conf
{
"enrichment" : {
"fieldMap" : { },
"fieldToTypeMap" : { },
"config" : { }
},
"threatIntel": {
"fieldMap": {},
"fieldToTypeMap": {},
"config": {},
"triageConfig": {
"riskLevelRules": [
{
"name": "Rule1",
"comment": "Checks whatever 1.",
"rule": "test == \"false\"",
"score": 20,
"reason": null
},
{
"name": "Rule1",
"comment": "Checks whatever 2.",
"rule": "test2 == \"False\"",
"score": 20,
"reason": null
},
{
"name": "Rule3",
"comment": "Checks whatever 2.",
"rule": "test3 == \"No\"",
"score": 20,
"reason": null
}
],
"aggregator": "SUM",
"aggregationConfig": {}
}
},
"configuration": {}
}
(4) Initialize Threat Triage and review your rule set.
[Stellar]>>> t := THREAT_TRIAGE_INIT(conf)
[Stellar]>>> THREAT_TRIAGE_PRINT(t)
╔═══════╤════════════════════╤══════════════════╤═══════╤════════╗
║ Name │ Comment │ Triage Rule │ Score │ Reason ║
╠═══════╪════════════════════╪══════════════════╪═══════╪════════╣
║ Rule1 │ Checks whatever 1. │ test == "false" │ 20 │ ║
╟───────┼────────────────────┼──────────────────┼───────┼────────╢
║ Rule1 │ Checks whatever 2. │ test2 == "False" │ 20 │ ║
╟───────┼────────────────────┼──────────────────┼───────┼────────╢
║ Rule3 │ Checks whatever 2. │ test3 == "No" │ 20 │ ║
╚═══════╧════════════════════╧══════════════════╧═══════╧════════╝
Aggregation: SUM
(5) Score the message. From this you can see in detail that the total
threat triage score is 20, which was the sum of a single rule that fired;
in this case Rule3.
[Stellar]>>> THREAT_TRIAGE_SCORE(msg, t)
{score=20.0, aggregator=SUM, rules=[{score=20, name=Rule3, rule=test3 ==
"No", comment=Checks whatever 2.}]}
I also noticed as I was putting together this demo that the Triage
Debugger does not honor the `is_alert` field and so behaves slightly
differently than when running in the Enrichment topology. I should fix
that. :)
[1] https://github.com/apache/metron/pull/733
On Mon, Sep 25, 2017 at 1:46 PM Laurens Vets <[email protected]> wrote:
> I have the following configuration:
>
> "threatIntel": {
> "fieldMap": {},
> "fieldToTypeMap": {},
> "config": {},
> "triageConfig": {
> "riskLevelRules": [
> {
> "name": "Rule1",
> "comment": "Checks whatever 1.",
> "rule": "test == \"false\"",
> "score": 20,
> "reason": null
> },
> {
> "name": "Rule1",
> "comment": "Checks whatever 2.",
> "rule": "test2 == \"False\"",
> "score": 20,
> "reason": null
> },
> {
> "name": "Rule3",
> "comment": "Checks whatever 2.",
> "rule": "test3 == \"No\"",
> "score": 20,
> "reason": null
> }
> ],
> "aggregator": "SUM",
> "aggregationConfig": {}
> }
> },
>
> I have no additional configuration in enrichment besides filling a
> specific with true or false based on a Stellar expression.
>
> I expected that when events would match my above rules, the _score field
> would be filled in. That does not seem to be the case.
>
> Does anyone know what I might be missing?
>
