the _score field is actually an elastic search matching score field, and is not
relevant to metron. You should see the scores in the threat:triage:score field.
However, your rules will only be run if the telemetry has is_alert set true, so
you should ensure that the enrichment phase sets is_alert: true somewhere for
alerts you want to go to triage?
Simon
> On 25 Sep 2017, at 18:46, Laurens Vets <laur...@daemon.be> wrote:
>
> I have the following configuration:
>
> "threatIntel": {
> "fieldMap": {},
> "fieldToTypeMap": {},
> "config": {},
> "triageConfig": {
> "riskLevelRules": [
> {
> "name": "Rule1",
> "comment": "Checks whatever 1.",
> "rule": "test == \"false\"",
> "score": 20,
> "reason": null
> },
> {
> "name": "Rule1",
> "comment": "Checks whatever 2.",
> "rule": "test2 == \"False\"",
> "score": 20,
> "reason": null
> },
> {
> "name": "Rule3",
> "comment": "Checks whatever 2.",
> "rule": "test3 == \"No\"",
> "score": 20,
> "reason": null
> }
> ],
> "aggregator": "SUM",
> "aggregationConfig": {}
> }
> },
>
> I have no additional configuration in enrichment besides filling a specific
> with true or false based on a Stellar expression.
>
> I expected that when events would match my above rules, the _score field
> would be filled in. That does not seem to be the case.
>
> Does anyone know what I might be missing?
