Excellent! Thank you so much for the assistance. I was able to create the alerts as suggested. My understanding is that stellar rules (and scores) configured in the config UI will only be evaluated if the is_alert flag is set to true. Is that correct?
Is there perhaps a way to toggle the is_alert flag based on the threat triage score (or alternatively a way to calculate score without setting the is_alert flag to true?) The use case is that we still want to score incoming records (based on stellar rules) but don’t want them displaying in the alerts UI unless they have a score. We could potentially filter the records from the alerts UI I suppose or clean up the Elastic index periodically, but wondering if something like this can done out of the box? Best regards, Sanket From: Nick Allen <[email protected]> Reply to: "[email protected]" <[email protected]> Date: Thursday, 21 November 2019 at 20:45 To: "[email protected]" <[email protected]> Subject: Re: Switching alert status Yes. You would create an enrichment using a Stellar expression that looks something like this. is_alert := IN_SUBNET(ip_src_addr, '192.168.0.0/24<http://192.168.0.0/24>') I can create, test and load that enrichment using the Stellar REPL. [root@node1 0.7.2]# source /etc/default/metron [root@node1 0.7.2]# $METRON_HOME/bin/stellar -z $ZOOKEEPER Let's test out the expression to make sure it does what we would expect. You can make the expression as complex as you need for your use case using Stellar<https://metron.apache.org/current-book/metron-stellar/stellar-common/index.html>. [Stellar]>>> ip_src_addr := "192.168.0.22" 192.168.0.22 [Stellar]>>> is_alert := IN_SUBNET(ip_src_addr, '192.168.0.0/24<http://192.168.0.0/24>') true Need more help? [Stellar]>>> ?IN_SUBNET IN_SUBNET Description: Returns true if an IP is within a subnet range. Arguments: ip - The IP address in string form cidr+ - One or more IP ranges specified in CIDR notation (for example 192.168.0.0/24<http://192.168.0.0/24>) Returns: True if the IP address is within at least one of the network ranges and false if otherwise Then I can create and save the enrichment configuration necessary to apply your Stellar expression. [Stellar]>>> bro := SHELL_EDIT() { "enrichment" : { "fieldMap": { "stellar" : { "config" : { "is_alert" : "IN_SUBNET(ip_src_addr, '192.168.0.0/24'<http://192.168.0.0/24'>)" } } } }, "threatIntel": { "fieldMap": {}, "fieldToTypeMap": {} } } [Stellar]>>> CONFIG_PUT("ENRICHMENT", bro, "bro") Hope this helps. Good luck. On Thu, Nov 21, 2019 at 1:21 PM Sanket Sharma <[email protected]<mailto:[email protected]>> wrote: Hi, I was wondering if there is a way to switch the alert status on or off based on rule or condition? For instance, I have two different subnets where I’m monitoring network traffic. One is an open network and the other is a private/secured network. I would like to set ‘is_alert’ to true if the src is subnet two and set it to false when its subnet one. The end goal is to only have certain alerts displayed in the alerts UI based on conditions. Is it possible? Best regards, Sanket
