Hi all,
I have got the following Threat Triage rule related to our Metron use case.
After I have configured the threat triage inside Metron Management UI.
However, I cannot see any result inside Elasticsearch after this
configuration. Do I need to do any other configuration related to Threat
Triage? Is there any issue with the current configuration? I haven't seen
any error related to Threat Triage inside Storm or Elasticsearch log. I
cannot see any Storm topology related to threat triage!
{
"enrichment": {
"fieldMap": {
"geo": [
"ip_src_addr",
"ip_dst_addr"
]
},
"fieldToTypeMap": {},
"config": {}
},
"threatIntel": {
"fieldMap": {},
"fieldToTypeMap": {},
"config": {},
"triageConfig": {
"riskLevelRules": [
{
"name": "Critical severity rule",
"comment": "",
"rule": "syslog_severity== 'emergencies' or syslog_severity== 'alert' or
syslog_severity== 'critical'",
"score": 100,
"reason": null
},
{
"name": "High severity rule",
"comment": "",
"rule": "syslog_severity== 'error'",
"score": 75,
"reason": null
},
{
"name": "Medium severity rule",
"comment": "",
"rule": "syslog_severity== 'warning'",
"score": 50,
"reason": null
},
{
"name": "Low severity rule",
"comment": "",
"rule": "syslog_severity== 'info' or syslog_severity== 'debugging'",
"score": 25,
"reason": null
}
],
"aggregator": "MAX",
"aggregationConfig": {}
}
},
"configuration": {}
}
Regards,
Ali
