Hi all, I have got the following Threat Triage rule related to our Metron use case. After I have configured the threat triage inside Metron Management UI. However, I cannot see any result inside Elasticsearch after this configuration. Do I need to do any other configuration related to Threat Triage? Is there any issue with the current configuration? I haven't seen any error related to Threat Triage inside Storm or Elasticsearch log. I cannot see any Storm topology related to threat triage!
{ "enrichment": { "fieldMap": { "geo": [ "ip_src_addr", "ip_dst_addr" ] }, "fieldToTypeMap": {}, "config": {} }, "threatIntel": { "fieldMap": {}, "fieldToTypeMap": {}, "config": {}, "triageConfig": { "riskLevelRules": [ { "name": "Critical severity rule", "comment": "", "rule": "syslog_severity== 'emergencies' or syslog_severity== 'alert' or syslog_severity== 'critical'", "score": 100, "reason": null }, { "name": "High severity rule", "comment": "", "rule": "syslog_severity== 'error'", "score": 75, "reason": null }, { "name": "Medium severity rule", "comment": "", "rule": "syslog_severity== 'warning'", "score": 50, "reason": null }, { "name": "Low severity rule", "comment": "", "rule": "syslog_severity== 'info' or syslog_severity== 'debugging'", "score": 25, "reason": null } ], "aggregator": "MAX", "aggregationConfig": {} } }, "configuration": {} } Regards, Ali