Re: Threat triage rules using stellar geo enrichment

Just perfect! Thanks much, Simon. Cheers Anand From: Simon Elliston Ball mailto:si...@simonellistonball.com>> Reply-To: "user@metron.apache.org" mailto:user@metron.apache.org>> Date: Tuesday, August 8, 2017 at 7:35 PM To: "user@metron.apache.org

Re: Threat triage rules using stellar geo enrichment

A much better way of doing this is to run the geo enrichment as part of the regular enrichment process and then just use the output field for the rule. Your config already does this, so your rule is in effect running the same enrichment twice. Just use enrichments.geo.ip_dst_addr.country != ‘US’

Re: Threat triage rules using stellar geo enrichment

Thank you, Casey. That worked! Regards, Anand From: Casey Stella mailto:ceste...@gmail.com>> Reply-To: "user@metron.apache.org" mailto:user@metron.apache.org>> Date: Tuesday, August 8, 2017 at 7:12 PM To: "user@metron.apache.org" mai

Re: Threat triage rules using stellar geo enrichment

I think you want: GEO_GET( ip_dst_addr, ['country']) != 'US' On Tue, Aug 8, 2017 at 7:29 AM, Anand Subramanian < asubraman...@hortonworks.com> wrote: > Hello All, > > I am trying to write a triage rule where I would like to set the alert > score based on Geo enrichment output, as follows. > > $

Threat triage rules using stellar geo enrichment

Hello All, I am trying to write a triage rule where I would like to set the alert score based on Geo enrichment output, as follows. $ cat $METRON_HOME/config/zookeeper/enrichments/snort.json { "enrichment" : { "fieldMap": { "geo": ["ip_dst_addr", "ip_src_addr"], "host": [