You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@metron.apache.org by Gonçalo Pedras <go...@ctd.pt> on 2019/11/21 16:10:15 UTC
Score not being issued by ThreatIntel Enrichment
Hi,
I've deployed Metron alongside the current Ambari version using the Metron HDP3.1 support provided by a branch in the GitHub project.
Fast forward, I'm testing Metron:
1. I've deployed a custom CSV parser with 3 fields ( 2 dummy fields and a IP field). The parser works fine.
2. Created a custom template for my sensor with the required fields (guid, ip_src_addr, ip_dst_addr, ...) for Elasticsearch for the pattern indexes. Works fine, even Metron can recognize the indexes.
3. Created a custom Threat Intel source (extractor enrichment config JSON files, and the CSV content file). Also works fine, I've tested it using Stellar with ENRICHMENT_GET function, returning the content I wrote in the CSV file.
4. Configured Threat Triage for the sensor with the rule "ip_src_addr == '<an IP I specified in the CSV file>'" and the score of 5. Doesn't work... The data in the Elasticsearch's index is still being issued without the threat score.
The enrichment config of the threat intel source:
{
"zkQuorum" : "XXXXXXXX:XXXX",
"sensorToFieldList": {
"xcsvtest": {
"type": "THREAT_INTEL",
"fieldToEnrichmentTypes": {
"ip_src_addr" : ["testList"]
}
}
}
}
My enrichment configuration:
{
"enrichment": {
"fieldMap": {
"geo": [
"ip_src_addr"
]
},
"fieldToTypeMap": {},
"config": {}
},
"threatIntel": {
"fieldMap": {},
"fieldToTypeMap": {
"ip_src_addr": [
"testList"
]
},
"config": {},
"triageConfig": {
"riskLevelRules": [
{
"name": "All_threat",
"comment": "",
"rule": "ip_src_addr == '8.8.8.8' ",
"reason": null,
"score": "5"
}
],
"aggregator": "MAX",
"aggregationConfig": {}
}
},
"configuration": {}
}
Appreciate any help.
Thanks
RE: Score not being issued by ThreatIntel Enrichment
Posted by Gonçalo Pedras <go...@ctd.pt>.
Hi,
It works. Thanks for the help. Really appreciated.
Thanks
Re: Score not being issued by ThreatIntel Enrichment
Posted by Simon Elliston Ball <si...@simonellistonball.com>.
The threat intel rules will only be run to create a score if the is_alert
field is present in the alert message. You can use the enrichments stage to
set this based on detections / threat intel / enrichment sources etc. If
that field is set true, then you should see your scoring rules run.
Simon
On Thu, 21 Nov 2019 at 16:10, Gonçalo Pedras <go...@ctd.pt> wrote:
> Hi,
>
> I’ve deployed Metron alongside the current Ambari version using the Metron
> HDP3.1 support provided by a branch in the GitHub project.
>
>
>
> Fast forward, I’m testing Metron:
>
> 1. I’ve deployed a custom CSV parser with 3 fields ( 2 dummy fields
> and a IP field). The parser works fine.
>
> 2. Created a custom template for my sensor with the required fields
> (guid, ip_src_addr, ip_dst_addr, …) for Elasticsearch for the pattern
> indexes. Works fine, even Metron can recognize the indexes.
>
> 3. Created a custom Threat Intel source (extractor enrichment
> config JSON files, and the CSV content file). Also works fine, I’ve tested
> it using Stellar with ENRICHMENT_GET function, returning the content I
> wrote in the CSV file.
>
> 4. Configured Threat Triage for the sensor with the rule
> “ip_src_addr == ‘<an IP I specified in the CSV file>’” and the score of 5.
> Doesn’t work… The data in the Elasticsearch’s index is still being issued
> without the threat score.
>
>
>
> The enrichment config of the threat intel source:
>
> {
>
> "zkQuorum" : "XXXXXXXX:XXXX",
>
> "sensorToFieldList": {
>
> "xcsvtest": {
>
> "type": "THREAT_INTEL",
>
> "fieldToEnrichmentTypes": {
>
> "ip_src_addr" : ["testList"]
>
> }
>
> }
>
> }
>
> }
>
>
>
> My enrichment configuration:
>
>
>
> {
>
> "enrichment": {
>
> "fieldMap": {
>
> "geo": [
>
>
> "ip_src_addr"
>
> ]
>
> },
>
> "fieldToTypeMap": {},
>
> "config": {}
>
> },
>
> "threatIntel": {
>
> "fieldMap": {},
>
> "fieldToTypeMap": {
>
> "ip_src_addr": [
>
> "testList"
>
> ]
>
> },
>
> "config": {},
>
> "triageConfig": {
>
> "riskLevelRules": [
>
> {
>
>
> "name": "All_threat",
>
>
> "comment": "",
>
>
> "rule": "ip_src_addr == ‘8.8.8.8’ ",
>
>
> "reason": null,
>
>
> "score": "5"
>
> }
>
> ],
>
> "aggregator": "MAX",
>
> "aggregationConfig": {}
>
> }
>
> },
>
> "configuration": {}
>
> }
>
>
>
>
>
>
>
> Appreciate any help.
>
> Thanks
>
--
--
simon elliston ball
@sireb