Oh, cool. Thanks, Casey. I will check it and let you know it is working or not.
On Fri, Mar 31, 2017 at 2:29 PM, Casey Stella <ceste...@gmail.com> wrote: > Just following up with another option, if you want to consider a message > an alert if the syslog_severity field matches one of info, debugging, > warning, error, emergencies, alert or critical, you could also adjust that > stellar enrichment to be: > "is_alert" : "exists(syslog_severity) and syslog_severity in [ 'info', > 'debugging', 'warning', 'error', 'emergencies', 'alert', 'critical']" > > On Thu, Mar 30, 2017 at 11:26 PM, Casey Stella <ceste...@gmail.com> wrote: > >> So, one thing about threat triage is that we only triage messages which >> have the field 'is_alert' set to true. If you are not seeing triaged >> messages, that is the likely culprit. Generally, you often see people >> either do a stellar enrichment to selectively choose which messages are >> alerts (and set is_alert to true on those messages). >> >> Judging from your example, perhaps you want a message to be considered an >> alert if the syslog_severity field exists. If that is the case, you could >> accomplish this via a stellar enrichment and the configs would look as >> follows: >> >> { >> "enrichment": { >> "fieldMap": { >> "geo": [ >> "ip_src_addr", >> "ip_dst_addr" >> ] >> }, >> "fieldToTypeMap": {}, >> "config": {} >> }, >> "threatIntel": { >> "fieldMap": { >> "stellar" : { >> "config" : { >> "is_alert" : "if exists(syslog_severity) then true else >> is_alert" >> } >> } >> }, >> "fieldToTypeMap": {}, >> "config": {}, >> "triageConfig": { >> "riskLevelRules": [ >> { >> "name": "Critical severity rule", >> "comment": "", >> "rule": "syslog_severity== 'emergencies' or >> syslog_severity== 'alert' or syslog_severity== 'critical'", >> "score": 100, >> "reason": null >> }, >> { >> "name": "High severity rule", >> "comment": "", >> "rule": "syslog_severity== 'error'", >> "score": 75, >> "reason": null >> }, >> { >> "name": "Medium severity rule", >> "comment": "", >> "rule": "syslog_severity== 'warning'", >> "score": 50, >> "reason": null >> }, >> { >> "name": "Low severity rule", >> "comment": "", >> "rule": "syslog_severity== 'info' or >> syslog_severity== 'debugging'", >> "score": 25, >> "reason": null >> } >> ], >> "aggregator": "MAX", >> "aggregationConfig": {} >> } >> }, >> "configuration": {} >> } >> >> >> >> On Thu, Mar 30, 2017 at 10:27 PM, Ali Nazemian <alinazem...@gmail.com> >> wrote: >> >>> Hi all, >>> >>> I have got the following Threat Triage rule related to our Metron use >>> case. After I have configured the threat triage inside Metron Management >>> UI. However, I cannot see any result inside Elasticsearch after this >>> configuration. Do I need to do any other configuration related to Threat >>> Triage? Is there any issue with the current configuration? I haven't seen >>> any error related to Threat Triage inside Storm or Elasticsearch log. I >>> cannot see any Storm topology related to threat triage! >>> >>> { >>> "enrichment": { >>> "fieldMap": { >>> "geo": [ >>> "ip_src_addr", >>> "ip_dst_addr" >>> ] >>> }, >>> "fieldToTypeMap": {}, >>> "config": {} >>> }, >>> "threatIntel": { >>> "fieldMap": {}, >>> "fieldToTypeMap": {}, >>> "config": {}, >>> "triageConfig": { >>> "riskLevelRules": [ >>> { >>> "name": "Critical severity rule", >>> "comment": "", >>> "rule": "syslog_severity== 'emergencies' or syslog_severity== 'alert' or >>> syslog_severity== 'critical'", >>> "score": 100, >>> "reason": null >>> }, >>> { >>> "name": "High severity rule", >>> "comment": "", >>> "rule": "syslog_severity== 'error'", >>> "score": 75, >>> "reason": null >>> }, >>> { >>> "name": "Medium severity rule", >>> "comment": "", >>> "rule": "syslog_severity== 'warning'", >>> "score": 50, >>> "reason": null >>> }, >>> { >>> "name": "Low severity rule", >>> "comment": "", >>> "rule": "syslog_severity== 'info' or syslog_severity== 'debugging'", >>> "score": 25, >>> "reason": null >>> } >>> ], >>> "aggregator": "MAX", >>> "aggregationConfig": {} >>> } >>> }, >>> "configuration": {} >>> } >>> >>> Regards, >>> Ali >>> >> >> > -- A.Nazemian