So, one thing about threat triage is that we only triage messages which
have the field 'is_alert' set to true. If you are not seeing triaged
messages, that is the likely culprit. Generally, you often see people
either do a stellar enrichment to selectively choose which messages are
alerts (and set is_alert to true on those messages).
Judging from your example, perhaps you want a message to be considered an
alert if the syslog_severity field exists. If that is the case, you could
accomplish this via a stellar enrichment and the configs would look as
follows:
{
"enrichment": {
"fieldMap": {
"geo": [
"ip_src_addr",
"ip_dst_addr"
]
},
"fieldToTypeMap": {},
"config": {}
},
"threatIntel": {
"fieldMap": {
"stellar" : {
"config" : {
"is_alert" : "if exists(syslog_severity) then true else
is_alert"
}
}
},
"fieldToTypeMap": {},
"config": {},
"triageConfig": {
"riskLevelRules": [
{
"name": "Critical severity rule",
"comment": "",
"rule": "syslog_severity== 'emergencies' or
syslog_severity== 'alert' or syslog_severity== 'critical'",
"score": 100,
"reason": null
},
{
"name": "High severity rule",
"comment": "",
"rule": "syslog_severity== 'error'",
"score": 75,
"reason": null
},
{
"name": "Medium severity rule",
"comment": "",
"rule": "syslog_severity== 'warning'",
"score": 50,
"reason": null
},
{
"name": "Low severity rule",
"comment": "",
"rule": "syslog_severity== 'info' or syslog_severity==
'debugging'",
"score": 25,
"reason": null
}
],
"aggregator": "MAX",
"aggregationConfig": {}
}
},
"configuration": {}
}
On Thu, Mar 30, 2017 at 10:27 PM, Ali Nazemian <alinazem...@gmail.com>
wrote:
> Hi all,
>
> I have got the following Threat Triage rule related to our Metron use
> case. After I have configured the threat triage inside Metron Management
> UI. However, I cannot see any result inside Elasticsearch after this
> configuration. Do I need to do any other configuration related to Threat
> Triage? Is there any issue with the current configuration? I haven't seen
> any error related to Threat Triage inside Storm or Elasticsearch log. I
> cannot see any Storm topology related to threat triage!
>
> {
> "enrichment": {
> "fieldMap": {
> "geo": [
> "ip_src_addr",
> "ip_dst_addr"
> ]
> },
> "fieldToTypeMap": {},
> "config": {}
> },
> "threatIntel": {
> "fieldMap": {},
> "fieldToTypeMap": {},
> "config": {},
> "triageConfig": {
> "riskLevelRules": [
> {
> "name": "Critical severity rule",
> "comment": "",
> "rule": "syslog_severity== 'emergencies' or syslog_severity== 'alert' or
> syslog_severity== 'critical'",
> "score": 100,
> "reason": null
> },
> {
> "name": "High severity rule",
> "comment": "",
> "rule": "syslog_severity== 'error'",
> "score": 75,
> "reason": null
> },
> {
> "name": "Medium severity rule",
> "comment": "",
> "rule": "syslog_severity== 'warning'",
> "score": 50,
> "reason": null
> },
> {
> "name": "Low severity rule",
> "comment": "",
> "rule": "syslog_severity== 'info' or syslog_severity== 'debugging'",
> "score": 25,
> "reason": null
> }
> ],
> "aggregator": "MAX",
> "aggregationConfig": {}
> }
> },
> "configuration": {}
> }
>
> Regards,
> Ali
>
