The threat intel rules will only be run to create a score if the is_alert
field is present in the alert message. You can use the enrichments stage to
set this based on detections / threat intel / enrichment sources etc. If
that field is set true, then you should see your scoring rules run.
Simon
On Thu, 21 Nov 2019 at 16:10, Gonçalo Pedras <goncalo.ped...@ctd.pt> wrote:
> Hi,
>
> I’ve deployed Metron alongside the current Ambari version using the Metron
> HDP3.1 support provided by a branch in the GitHub project.
>
>
>
> Fast forward, I’m testing Metron:
>
> 1. I’ve deployed a custom CSV parser with 3 fields ( 2 dummy fields
> and a IP field). The parser works fine.
>
> 2. Created a custom template for my sensor with the required fields
> (guid, ip_src_addr, ip_dst_addr, …) for Elasticsearch for the pattern
> indexes. Works fine, even Metron can recognize the indexes.
>
> 3. Created a custom Threat Intel source (extractor enrichment
> config JSON files, and the CSV content file). Also works fine, I’ve tested
> it using Stellar with ENRICHMENT_GET function, returning the content I
> wrote in the CSV file.
>
> 4. Configured Threat Triage for the sensor with the rule
> “ip_src_addr == ‘<an IP I specified in the CSV file>’” and the score of 5.
> Doesn’t work… The data in the Elasticsearch’s index is still being issued
> without the threat score.
>
>
>
> The enrichment config of the threat intel source:
>
> {
>
> "zkQuorum" : "XXXXXXXX:XXXX",
>
> "sensorToFieldList": {
>
> "xcsvtest": {
>
> "type": "THREAT_INTEL",
>
> "fieldToEnrichmentTypes": {
>
> "ip_src_addr" : ["testList"]
>
> }
>
> }
>
> }
>
> }
>
>
>
> My enrichment configuration:
>
>
>
> {
>
> "enrichment": {
>
> "fieldMap": {
>
> "geo": [
>
>
> "ip_src_addr"
>
> ]
>
> },
>
> "fieldToTypeMap": {},
>
> "config": {}
>
> },
>
> "threatIntel": {
>
> "fieldMap": {},
>
> "fieldToTypeMap": {
>
> "ip_src_addr": [
>
> "testList"
>
> ]
>
> },
>
> "config": {},
>
> "triageConfig": {
>
> "riskLevelRules": [
>
> {
>
>
> "name": "All_threat",
>
>
> "comment": "",
>
>
> "rule": "ip_src_addr == ‘8.8.8.8’ ",
>
>
> "reason": null,
>
>
> "score": "5"
>
> }
>
> ],
>
> "aggregator": "MAX",
>
> "aggregationConfig": {}
>
> }
>
> },
>
> "configuration": {}
>
> }
>
>
>
>
>
>
>
> Appreciate any help.
>
> Thanks
>
--
--
simon elliston ball
@sireb
