Just following up with another option, if you want to consider a message an
alert if the syslog_severity field matches one of info, debugging, warning,
error, emergencies, alert or critical, you could also adjust that stellar
enrichment to be:
"is_alert" : "exists(syslog_severity) and syslog_severity in [ 'info',
'debugging', 'warning', 'error', 'emergencies', 'alert', 'critical']"
On Thu, Mar 30, 2017 at 11:26 PM, Casey Stella <ceste...@gmail.com> wrote:
> So, one thing about threat triage is that we only triage messages which
> have the field 'is_alert' set to true. If you are not seeing triaged
> messages, that is the likely culprit. Generally, you often see people
> either do a stellar enrichment to selectively choose which messages are
> alerts (and set is_alert to true on those messages).
>
> Judging from your example, perhaps you want a message to be considered an
> alert if the syslog_severity field exists. If that is the case, you could
> accomplish this via a stellar enrichment and the configs would look as
> follows:
>
> {
> "enrichment": {
> "fieldMap": {
> "geo": [
> "ip_src_addr",
> "ip_dst_addr"
> ]
> },
> "fieldToTypeMap": {},
> "config": {}
> },
> "threatIntel": {
> "fieldMap": {
> "stellar" : {
> "config" : {
> "is_alert" : "if exists(syslog_severity) then true else
> is_alert"
> }
> }
> },
> "fieldToTypeMap": {},
> "config": {},
> "triageConfig": {
> "riskLevelRules": [
> {
> "name": "Critical severity rule",
> "comment": "",
> "rule": "syslog_severity== 'emergencies' or
> syslog_severity== 'alert' or syslog_severity== 'critical'",
> "score": 100,
> "reason": null
> },
> {
> "name": "High severity rule",
> "comment": "",
> "rule": "syslog_severity== 'error'",
> "score": 75,
> "reason": null
> },
> {
> "name": "Medium severity rule",
> "comment": "",
> "rule": "syslog_severity== 'warning'",
> "score": 50,
> "reason": null
> },
> {
> "name": "Low severity rule",
> "comment": "",
> "rule": "syslog_severity== 'info' or syslog_severity==
> 'debugging'",
> "score": 25,
> "reason": null
> }
> ],
> "aggregator": "MAX",
> "aggregationConfig": {}
> }
> },
> "configuration": {}
> }
>
>
>
> On Thu, Mar 30, 2017 at 10:27 PM, Ali Nazemian <alinazem...@gmail.com>
> wrote:
>
>> Hi all,
>>
>> I have got the following Threat Triage rule related to our Metron use
>> case. After I have configured the threat triage inside Metron Management
>> UI. However, I cannot see any result inside Elasticsearch after this
>> configuration. Do I need to do any other configuration related to Threat
>> Triage? Is there any issue with the current configuration? I haven't seen
>> any error related to Threat Triage inside Storm or Elasticsearch log. I
>> cannot see any Storm topology related to threat triage!
>>
>> {
>> "enrichment": {
>> "fieldMap": {
>> "geo": [
>> "ip_src_addr",
>> "ip_dst_addr"
>> ]
>> },
>> "fieldToTypeMap": {},
>> "config": {}
>> },
>> "threatIntel": {
>> "fieldMap": {},
>> "fieldToTypeMap": {},
>> "config": {},
>> "triageConfig": {
>> "riskLevelRules": [
>> {
>> "name": "Critical severity rule",
>> "comment": "",
>> "rule": "syslog_severity== 'emergencies' or syslog_severity== 'alert' or
>> syslog_severity== 'critical'",
>> "score": 100,
>> "reason": null
>> },
>> {
>> "name": "High severity rule",
>> "comment": "",
>> "rule": "syslog_severity== 'error'",
>> "score": 75,
>> "reason": null
>> },
>> {
>> "name": "Medium severity rule",
>> "comment": "",
>> "rule": "syslog_severity== 'warning'",
>> "score": 50,
>> "reason": null
>> },
>> {
>> "name": "Low severity rule",
>> "comment": "",
>> "rule": "syslog_severity== 'info' or syslog_severity== 'debugging'",
>> "score": 25,
>> "reason": null
>> }
>> ],
>> "aggregator": "MAX",
>> "aggregationConfig": {}
>> }
>> },
>> "configuration": {}
>> }
>>
>> Regards,
>> Ali
>>
>
>
