So, one thing about threat triage is that we only triage messages which have the field 'is_alert' set to true. If you are not seeing triaged messages, that is the likely culprit. Generally, you often see people either do a stellar enrichment to selectively choose which messages are alerts (and set is_alert to true on those messages).
Judging from your example, perhaps you want a message to be considered an alert if the syslog_severity field exists. If that is the case, you could accomplish this via a stellar enrichment and the configs would look as follows: { "enrichment": { "fieldMap": { "geo": [ "ip_src_addr", "ip_dst_addr" ] }, "fieldToTypeMap": {}, "config": {} }, "threatIntel": { "fieldMap": { "stellar" : { "config" : { "is_alert" : "if exists(syslog_severity) then true else is_alert" } } }, "fieldToTypeMap": {}, "config": {}, "triageConfig": { "riskLevelRules": [ { "name": "Critical severity rule", "comment": "", "rule": "syslog_severity== 'emergencies' or syslog_severity== 'alert' or syslog_severity== 'critical'", "score": 100, "reason": null }, { "name": "High severity rule", "comment": "", "rule": "syslog_severity== 'error'", "score": 75, "reason": null }, { "name": "Medium severity rule", "comment": "", "rule": "syslog_severity== 'warning'", "score": 50, "reason": null }, { "name": "Low severity rule", "comment": "", "rule": "syslog_severity== 'info' or syslog_severity== 'debugging'", "score": 25, "reason": null } ], "aggregator": "MAX", "aggregationConfig": {} } }, "configuration": {} } On Thu, Mar 30, 2017 at 10:27 PM, Ali Nazemian <alinazem...@gmail.com> wrote: > Hi all, > > I have got the following Threat Triage rule related to our Metron use > case. After I have configured the threat triage inside Metron Management > UI. However, I cannot see any result inside Elasticsearch after this > configuration. Do I need to do any other configuration related to Threat > Triage? Is there any issue with the current configuration? I haven't seen > any error related to Threat Triage inside Storm or Elasticsearch log. I > cannot see any Storm topology related to threat triage! > > { > "enrichment": { > "fieldMap": { > "geo": [ > "ip_src_addr", > "ip_dst_addr" > ] > }, > "fieldToTypeMap": {}, > "config": {} > }, > "threatIntel": { > "fieldMap": {}, > "fieldToTypeMap": {}, > "config": {}, > "triageConfig": { > "riskLevelRules": [ > { > "name": "Critical severity rule", > "comment": "", > "rule": "syslog_severity== 'emergencies' or syslog_severity== 'alert' or > syslog_severity== 'critical'", > "score": 100, > "reason": null > }, > { > "name": "High severity rule", > "comment": "", > "rule": "syslog_severity== 'error'", > "score": 75, > "reason": null > }, > { > "name": "Medium severity rule", > "comment": "", > "rule": "syslog_severity== 'warning'", > "score": 50, > "reason": null > }, > { > "name": "Low severity rule", > "comment": "", > "rule": "syslog_severity== 'info' or syslog_severity== 'debugging'", > "score": 25, > "reason": null > } > ], > "aggregator": "MAX", > "aggregationConfig": {} > } > }, > "configuration": {} > } > > Regards, > Ali >