And, this PR just went into master. Hopefully this will help in the future. Let me know how I can make it better.
On Mon, Sep 25, 2017 at 4:54 PM, Nick Allen <[email protected]> wrote: > Just as a side note, based on PR #733 [1], you can also simulate/debug > these types of > Threat Triage > rules > directly > in the Stellar REPL. > > > (1) There are a few different Threat Triage functions that you can use. > Feel free to explore each. > > [Stellar]>>> %functions THREAT > THREAT_TRIAGE_ADD, THREAT_TRIAGE_CONFIG, THREAT_TRIAGE_INIT, > THREAT_TRIAGE_PRINT, THREAT_TRIAGE_REMOVE, THREAT_TRIAGE_SCORE, > THREAT_TRIAGE_SET_AGGREGATOR > > > (2) Mock-up a telemetry message that we will triage and score. > > [Stellar]>>> msg := SHELL_EDIT() > [Stellar]>>> msg > { > "test3": "No" > } > > > ( > 3 > ) I > copied > the rules that you included in your email. > You can either pass in the entire configuration like this or build up > the rule set incrementally using THREAT_TRIAGE_ADD. > > [Stellar]>>> conf := SHELL_EDIT() > [Stellar]>>> conf > { > "enrichment" : { > "fieldMap" : { }, > "fieldToTypeMap" : { }, > "config" : { } > }, > "threatIntel": { > "fieldMap": {}, > "fieldToTypeMap": {}, > "config": {}, > "triageConfig": { > "riskLevelRules": [ > { > "name": "Rule1", > "comment": "Checks whatever 1.", > "rule": "test == \"false\"", > "score": 20, > "reason": null > }, > { > "name": "Rule1", > "comment": "Checks whatever 2.", > "rule": "test2 == \"False\"", > "score": 20, > "reason": null > }, > { > "name": "Rule3", > "comment": "Checks whatever 2.", > "rule": "test3 == \"No\"", > "score": 20, > "reason": null > } > ], > "aggregator": "SUM", > "aggregationConfig": {} > } > }, > "configuration": {} > } > > > > (4) Initialize Threat Triage and review your rule set. > > [Stellar]>>> t := THREAT_TRIAGE_INIT(conf) > [Stellar]>>> THREAT_TRIAGE_PRINT(t) > ╔═══════╤════════════════════╤══════════════════╤═══════╤════════╗ > ║ Name │ Comment │ Triage Rule │ Score │ Reason ║ > ╠═══════╪════════════════════╪══════════════════╪═══════╪════════╣ > ║ Rule1 │ Checks whatever 1. │ test == "false" │ 20 │ ║ > ╟───────┼────────────────────┼──────────────────┼───────┼────────╢ > ║ Rule1 │ Checks whatever 2. │ test2 == "False" │ 20 │ ║ > ╟───────┼────────────────────┼──────────────────┼───────┼────────╢ > ║ Rule3 │ Checks whatever 2. │ test3 == "No" │ 20 │ ║ > ╚═══════╧════════════════════╧══════════════════╧═══════╧════════╝ > Aggregation: SUM > > > (5) Score the message. From this you can see in detail that the total > threat triage score is 20, which was the sum of a single rule that fired; > in this case Rule3. > > [Stellar]>>> THREAT_TRIAGE_SCORE(msg, t) > {score=20.0, aggregator=SUM, rules=[{score=20, name=Rule3, rule=test3 == > "No", comment=Checks whatever 2.}]} > > > > I also noticed as I was putting together this demo that the Triage > Debugger does not honor the `is_alert` field and so behaves slightly > differently than when running in the Enrichment topology. I should fix > that. :) > > > > [1] https://github.com/apache/metron/pull/733 > > > > > On Mon, Sep 25, 2017 at 1:46 PM Laurens Vets <[email protected]> wrote: > >> I have the following configuration: >> >> "threatIntel": { >> "fieldMap": {}, >> "fieldToTypeMap": {}, >> "config": {}, >> "triageConfig": { >> "riskLevelRules": [ >> { >> "name": "Rule1", >> "comment": "Checks whatever 1.", >> "rule": "test == \"false\"", >> "score": 20, >> "reason": null >> }, >> { >> "name": "Rule1", >> "comment": "Checks whatever 2.", >> "rule": "test2 == \"False\"", >> "score": 20, >> "reason": null >> }, >> { >> "name": "Rule3", >> "comment": "Checks whatever 2.", >> "rule": "test3 == \"No\"", >> "score": 20, >> "reason": null >> } >> ], >> "aggregator": "SUM", >> "aggregationConfig": {} >> } >> }, >> >> I have no additional configuration in enrichment besides filling a >> specific with true or false based on a Stellar expression. >> >> I expected that when events would match my above rules, the _score field >> would be filled in. That does not seem to be the case. >> >> Does anyone know what I might be missing? >> >
