You can have as many boolean conditions field as you like in your message, but
only is_alert will trigger the triage process. Once there you can of course
refer to any number of fields in the rules statements.
for example:
{
"enrichment": {
"fieldMap": {
"stellar" : {
"config" : {
"is_alert": "EXISTS(Severity)",
"alarm_state": "event_type =='ddos' and ip_dst_addr='x.x.x.x'",
"something_else": "hostname == 'bad' and alarm_state = true"
}
}
},
"fieldToTypeMap": {}
},
"threatIntel": {
"fieldMap": {},
"fieldToTypeMap": {},
"triageConfig" : {
"riskLevelRules" : [
{
"rule" : "alarm_state",
"score" : 100
},
{
"rule": "alarm_state and not IN_SUBNET(ip_dst_addr,
'192.168.16.0/24')"
}
],
"aggregator" : "MAX"
}
}
}
Note that you also don’t need all those IF THEN constructs if you’re just
returning and recording a boolean state.
Simon
> On 2 Apr 2017, at 05:37, Ali Nazemian <alinazem...@gmail.com> wrote:
>
> Hi Otto,
>
> I have got two different conditions for a single sensor. Take the following
> as an example:
>
> IF ( exists(Severity))
> Then (is_alert = true)
>
> IF ( event_type =='ddos' and ip_dst_addr='x.x.x.x')
> Then (alarm_status= true)
>
> I know how to manage the first one, but I am not sure Metron is able to pick
> two different boolean conditions or not? is "is_alert" a hard-coded condition
> or I am allowed to define more boolean conditions?
>
>
> Regards,
> Ali
>
> On Sun, Apr 2, 2017 at 1:42 AM, Otto Fowler <ottobackwa...@gmail.com
> <mailto:ottobackwa...@gmail.com>> wrote:
> Ali, can you pseudocode out what you are logically looking to do?
>
> IF ( IS_ALERT(Field0) AND IS_TRUE(Field1 > 0 ) OR ………..
> THEN (alarm_status = true )
>
>
>
>
> On April 1, 2017 at 10:09:36, Ali Nazemian (alinazem...@gmail.com
> <mailto:alinazem...@gmail.com>) wrote:
>
>> Hi Simon,
>>
>> This is a different use case. We might need to have multiple boolean
>> attributes. Having "is_alert" is not enough for this one. I am looking for
>> the same behaviour as "is_alert" with different attributes. Let's say
>> "is_alert" is bounded to Threat Triage with a scoring mechanism, but I need
>> another boolean attribute for a different condition.
>>
>> Cheers,
>> Ali
>>
>> On Sat, Apr 1, 2017 at 9:14 PM, Simon Elliston Ball
>> <si...@simonellistonball.com <mailto:si...@simonellistonball.com>> wrote:
>> That would be a perfect use for a stellar enrichment using a statement to
>> trigger the alert based on some Boolean expression, I would recommend using
>> the is_alert field as the output field though, which will trigger the triage
>> scoring.
>>
>> Simon
>>
>> > On 1 Apr 2017, at 10:59, Ali Nazemian <alinazem...@gmail.com
>> > <mailto:alinazem...@gmail.com>> wrote:
>> >
>> > Hi all,
>> >
>> > I was wondering whether it is possible to have a conditional enrichment or
>> > not? Suppose I want to have the following enrichment:
>> >
>> > If event_type == 'DDOS' and ip_dst_addr=='x.x.x.x' then alarm_status = true
>> >
>> > How can I set the enrichment configuration to handle this situation?
>> >
>> > Regards,
>> > Ali
>>
>>
>>
>> --
>> A.Nazemian
>
>
>
> --
> A.Nazemian
