Oh, cool. Thanks, Casey. I will check it and let you know it is working or
not.
On Fri, Mar 31, 2017 at 2:29 PM, Casey Stella <ceste...@gmail.com> wrote:
> Just following up with another option, if you want to consider a message
> an alert if the syslog_severity field matches one of info, debugging,
> warning, error, emergencies, alert or critical, you could also adjust that
> stellar enrichment to be:
> "is_alert" : "exists(syslog_severity) and syslog_severity in [ 'info',
> 'debugging', 'warning', 'error', 'emergencies', 'alert', 'critical']"
>
> On Thu, Mar 30, 2017 at 11:26 PM, Casey Stella <ceste...@gmail.com> wrote:
>
>> So, one thing about threat triage is that we only triage messages which
>> have the field 'is_alert' set to true. If you are not seeing triaged
>> messages, that is the likely culprit. Generally, you often see people
>> either do a stellar enrichment to selectively choose which messages are
>> alerts (and set is_alert to true on those messages).
>>
>> Judging from your example, perhaps you want a message to be considered an
>> alert if the syslog_severity field exists. If that is the case, you could
>> accomplish this via a stellar enrichment and the configs would look as
>> follows:
>>
>> {
>> "enrichment": {
>> "fieldMap": {
>> "geo": [
>> "ip_src_addr",
>> "ip_dst_addr"
>> ]
>> },
>> "fieldToTypeMap": {},
>> "config": {}
>> },
>> "threatIntel": {
>> "fieldMap": {
>> "stellar" : {
>> "config" : {
>> "is_alert" : "if exists(syslog_severity) then true else
>> is_alert"
>> }
>> }
>> },
>> "fieldToTypeMap": {},
>> "config": {},
>> "triageConfig": {
>> "riskLevelRules": [
>> {
>> "name": "Critical severity rule",
>> "comment": "",
>> "rule": "syslog_severity== 'emergencies' or
>> syslog_severity== 'alert' or syslog_severity== 'critical'",
>> "score": 100,
>> "reason": null
>> },
>> {
>> "name": "High severity rule",
>> "comment": "",
>> "rule": "syslog_severity== 'error'",
>> "score": 75,
>> "reason": null
>> },
>> {
>> "name": "Medium severity rule",
>> "comment": "",
>> "rule": "syslog_severity== 'warning'",
>> "score": 50,
>> "reason": null
>> },
>> {
>> "name": "Low severity rule",
>> "comment": "",
>> "rule": "syslog_severity== 'info' or
>> syslog_severity== 'debugging'",
>> "score": 25,
>> "reason": null
>> }
>> ],
>> "aggregator": "MAX",
>> "aggregationConfig": {}
>> }
>> },
>> "configuration": {}
>> }
>>
>>
>>
>> On Thu, Mar 30, 2017 at 10:27 PM, Ali Nazemian <alinazem...@gmail.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> I have got the following Threat Triage rule related to our Metron use
>>> case. After I have configured the threat triage inside Metron Management
>>> UI. However, I cannot see any result inside Elasticsearch after this
>>> configuration. Do I need to do any other configuration related to Threat
>>> Triage? Is there any issue with the current configuration? I haven't seen
>>> any error related to Threat Triage inside Storm or Elasticsearch log. I
>>> cannot see any Storm topology related to threat triage!
>>>
>>> {
>>> "enrichment": {
>>> "fieldMap": {
>>> "geo": [
>>> "ip_src_addr",
>>> "ip_dst_addr"
>>> ]
>>> },
>>> "fieldToTypeMap": {},
>>> "config": {}
>>> },
>>> "threatIntel": {
>>> "fieldMap": {},
>>> "fieldToTypeMap": {},
>>> "config": {},
>>> "triageConfig": {
>>> "riskLevelRules": [
>>> {
>>> "name": "Critical severity rule",
>>> "comment": "",
>>> "rule": "syslog_severity== 'emergencies' or syslog_severity== 'alert' or
>>> syslog_severity== 'critical'",
>>> "score": 100,
>>> "reason": null
>>> },
>>> {
>>> "name": "High severity rule",
>>> "comment": "",
>>> "rule": "syslog_severity== 'error'",
>>> "score": 75,
>>> "reason": null
>>> },
>>> {
>>> "name": "Medium severity rule",
>>> "comment": "",
>>> "rule": "syslog_severity== 'warning'",
>>> "score": 50,
>>> "reason": null
>>> },
>>> {
>>> "name": "Low severity rule",
>>> "comment": "",
>>> "rule": "syslog_severity== 'info' or syslog_severity== 'debugging'",
>>> "score": 25,
>>> "reason": null
>>> }
>>> ],
>>> "aggregator": "MAX",
>>> "aggregationConfig": {}
>>> }
>>> },
>>> "configuration": {}
>>> }
>>>
>>> Regards,
>>> Ali
>>>
>>
>>
>
--
A.Nazemian
