Hi Otto, I have got two different conditions for a single sensor. Take the following as an example:
IF ( exists(Severity)) Then (is_alert = true) IF ( event_type =='ddos' and ip_dst_addr='x.x.x.x') Then (alarm_status= true) I know how to manage the first one, but I am not sure Metron is able to pick two different boolean conditions or not? is "is_alert" a hard-coded condition or I am allowed to define more boolean conditions? Regards, Ali On Sun, Apr 2, 2017 at 1:42 AM, Otto Fowler <ottobackwa...@gmail.com> wrote: > Ali, can you pseudocode out what you are logically looking to do? > > IF ( IS_ALERT(Field0) AND IS_TRUE(Field1 > 0 ) OR ……….. > THEN (alarm_status = true ) > > > > > On April 1, 2017 at 10:09:36, Ali Nazemian (alinazem...@gmail.com) wrote: > > Hi Simon, > > This is a different use case. We might need to have multiple boolean > attributes. Having "is_alert" is not enough for this one. I am looking for > the same behaviour as "is_alert" with different attributes. Let's say > "is_alert" is bounded to Threat Triage with a scoring mechanism, but I need > another boolean attribute for a different condition. > > Cheers, > Ali > > On Sat, Apr 1, 2017 at 9:14 PM, Simon Elliston Ball < > si...@simonellistonball.com> wrote: > >> That would be a perfect use for a stellar enrichment using a statement to >> trigger the alert based on some Boolean expression, I would recommend using >> the is_alert field as the output field though, which will trigger the >> triage scoring. >> >> Simon >> >> > On 1 Apr 2017, at 10:59, Ali Nazemian <alinazem...@gmail.com> wrote: >> > >> > Hi all, >> > >> > I was wondering whether it is possible to have a conditional enrichment >> or not? Suppose I want to have the following enrichment: >> > >> > If event_type == 'DDOS' and ip_dst_addr=='x.x.x.x' then alarm_status = >> true >> > >> > How can I set the enrichment configuration to handle this situation? >> > >> > Regards, >> > Ali >> > > > > -- > A.Nazemian > > -- A.Nazemian
