The threat intel rules will only be run to create a score if the is_alert field is present in the alert message. You can use the enrichments stage to set this based on detections / threat intel / enrichment sources etc. If that field is set true, then you should see your scoring rules run.
Simon On Thu, 21 Nov 2019 at 16:10, Gonçalo Pedras <[email protected]> wrote: > Hi, > > I’ve deployed Metron alongside the current Ambari version using the Metron > HDP3.1 support provided by a branch in the GitHub project. > > > > Fast forward, I’m testing Metron: > > 1. I’ve deployed a custom CSV parser with 3 fields ( 2 dummy fields > and a IP field). The parser works fine. > > 2. Created a custom template for my sensor with the required fields > (guid, ip_src_addr, ip_dst_addr, …) for Elasticsearch for the pattern > indexes. Works fine, even Metron can recognize the indexes. > > 3. Created a custom Threat Intel source (extractor enrichment > config JSON files, and the CSV content file). Also works fine, I’ve tested > it using Stellar with ENRICHMENT_GET function, returning the content I > wrote in the CSV file. > > 4. Configured Threat Triage for the sensor with the rule > “ip_src_addr == ‘<an IP I specified in the CSV file>’” and the score of 5. > Doesn’t work… The data in the Elasticsearch’s index is still being issued > without the threat score. > > > > The enrichment config of the threat intel source: > > { > > "zkQuorum" : "XXXXXXXX:XXXX", > > "sensorToFieldList": { > > "xcsvtest": { > > "type": "THREAT_INTEL", > > "fieldToEnrichmentTypes": { > > "ip_src_addr" : ["testList"] > > } > > } > > } > > } > > > > My enrichment configuration: > > > > { > > "enrichment": { > > "fieldMap": { > > "geo": [ > > > "ip_src_addr" > > ] > > }, > > "fieldToTypeMap": {}, > > "config": {} > > }, > > "threatIntel": { > > "fieldMap": {}, > > "fieldToTypeMap": { > > "ip_src_addr": [ > > "testList" > > ] > > }, > > "config": {}, > > "triageConfig": { > > "riskLevelRules": [ > > { > > > "name": "All_threat", > > > "comment": "", > > > "rule": "ip_src_addr == ‘8.8.8.8’ ", > > > "reason": null, > > > "score": "5" > > } > > ], > > "aggregator": "MAX", > > "aggregationConfig": {} > > } > > }, > > "configuration": {} > > } > > > > > > > > Appreciate any help. > > Thanks > -- -- simon elliston ball @sireb
