I'd like to explore the functionality that we have in Metron using a motivating example. I think this will help highlight some gaps where we can enhance Metron.
The motivating example is that I would like to create an alert if the number of inbound flows to any host over a 15 minute interval is abnormal. I would like the alert to contain the specific information below to streamline the triage process. Rule: Abnormal number of inbound flows Bin: 15 mins Alert: The host 'powned.svr.bank.com' has '230' inbound flows, exceeding the threshold of '202' *What Works* In some ways, this example is similar to the "Outlier Detection" demo that I performed with the Profiler a few months back. We have most of what we need to do this with a couple caveats. 1. An enrichment would be added to enrich the message with the correct internal hostname 'powned.svr.bank.com'. 2. With the Profiler, I can capture some idea of what "normal" is for the number of inbound flows across 15 minute intervals. 3. With Threat Triage, I can create rules that alert when a value exceeds what the Profiler defines as normal. *What's Missing* Its nice to know that we are almost all the way there with this example. Unfortunately, there are two gaps that fall out of this. 1. *Threat Triage Transparency* There is little transparency into the Threat Triage process itself. When Threat Triage runs, all I get is a score. I don't know how that score was arrived at, which rules were triggered, and the specific values that caused a rule to trigger. More specifically, there is no way to generate a message that looks like "The host 'powned.svr.bank.com' has '230' inbound flows, exceeding the threshold of '202'". 2. *Triage Calculated Values from the Profiler* Also, the value being interrogated here, the number of inbound flows, is not a static value contained within any single telemetry message. This value is calculated across multiple messages by the Profiler. The current Threat Triage process cannot be used to interrogate values calculated by the Profiler. To try and keep this email concise and digestible, I am going to send a follow-on discussing proposed solutions for each of these separately.
