Yes. You would create an enrichment using a Stellar expression that looks something like this.
is_alert := IN_SUBNET(ip_src_addr, '192.168.0.0/24') I can create, test and load that enrichment using the Stellar REPL. [root@node1 0.7.2]# source /etc/default/metron[root@node1 0.7.2]# $METRON_HOME/bin/stellar -z $ZOOKEEPER Let's test out the expression to make sure it does what we would expect. You can make the expression as complex as you need for your use case using Stellar <https://metron.apache.org/current-book/metron-stellar/stellar-common/index.html> . [Stellar]>>> ip_src_addr := "192.168.0.22" 192.168.0.22 [Stellar]>>> is_alert := IN_SUBNET(ip_src_addr, '192.168.0.0/24') true Need more help? [Stellar]>>> ?IN_SUBNET IN_SUBNET Description: Returns true if an IP is within a subnet range. Arguments: ip - The IP address in string form cidr+ - One or more IP ranges specified in CIDR notation (for example 192.168.0.0/24) Returns: True if the IP address is within at least one of the network ranges and false if otherwise Then I can create and save the enrichment configuration necessary to apply your Stellar expression. [Stellar]>>> bro := SHELL_EDIT() { "enrichment" : { "fieldMap": { "stellar" : { "config" : { "is_alert" : "IN_SUBNET(ip_src_addr, '192.168.0.0/24')" } } } }, "threatIntel": { "fieldMap": {}, "fieldToTypeMap": {} } }[Stellar]>>> CONFIG_PUT("ENRICHMENT", bro, "bro") Hope this helps. Good luck. On Thu, Nov 21, 2019 at 1:21 PM Sanket Sharma <[email protected]> wrote: > Hi, > > > > I was wondering if there is a way to switch the alert status on or off > based on rule or condition? For instance, I have two different subnets > where I’m monitoring network traffic. One is an open network and the other > is a private/secured network. > > > > I would like to set ‘is_alert’ to true if the src is subnet two and set it > to false when its subnet one. The end goal is to only have certain alerts > displayed in the alerts UI based on conditions. Is it possible? > > > > > > Best regards, > > Sanket >
