...
Consider, for example, the following JSON message:
{..."src_ip_addr" : "192.168.0.1","is_local" : true...}
Consider the query:
IN_SUBNET( src_ip_addr, '192.168.0.0/24') or src_ip_addr in [ '10.0.0.1', '10.0.0.2' ] or exists(is_local)
...
So, where we left off in part 4 was a working threat intelligence enrichment. Now, let's see if we can triage those threats for the squid data flowing through. In particular, let's triage the threat alerts for the squid
sensor data higher under the following conditions:
- If the threat intel enrichment type
zeusList
as defined in part 4 is alerted, then we want to consider that an alert of score of 5 - If the
url
is neither a.com
nor a.net
, then we want to consider that alert a score of 10
For each message we will assign the maximum score across all conditions as the triage score. This translates into the following configuration:
{
...
,"threatIntel" : {
...
, "triageConfig" : {
"riskLevelRules" : {
"exists(threatintels.hbaseThreatIntel.url.zeusList)" : 5
, "not(ENDS_WITH(url, '.com') or ENDS_WITH(url, '.net'))" : 10}
,"aggregator" : "MAX"}}
}
In order to apply this triage configuration, we must modify the configuration for the squid
sensor in the enrichment topology. To do this, we should modify /usr/metron/0.1BETA/config/zookeeper/sensors/squid.json
on node1
However, since the configuration in zookeeper may have be out of sync with the configuration on disk, we must make sure they are in sync by executing the following command:
/usr/metron/0.1BETA/bin/zk_load_configs.sh -m PULL -z node1:2181 -f -o /usr/metron/0.1BETA/config/zookeeper
We should ensure that the configuration for squid exists by checking out
cat /usr/metron/0.1BETA/config/zookeeper/sensors/squid.json
Now we can edit the configuration. In /usr/metron/0.1BETA/config/zookeeper/sensors/squid.json
edit the section titled riskLevelRules
and add the two rules above to the map:
"exists(threatintels.hbaseThreatIntel.url.zeusList)" : 5
"not(ENDS_WITH(url, '.com') or ENDS_WITH(url, '.net'))" : 10
Also, ensure that the aggregator
field indicates MAX
After modifying the configuration, we can push the configuration back to zookeeper and have the enrichment topology pick it up with live data via
/usr/metron/0.1BETA/bin/zk_load_configs.sh -m PUSH -z node1:2181 -i /usr/metron/0.1BETA/config/zookeeper
Now, if we reload the data from the part 4 via
tail /var/log/squid/access.log | /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list node1:6667 --topic squid
Now, if we check the squid
index using the elasticsearch head plugin, we can see the threats triage as we would expect:
Non-Threat Data
For URL's from cnn.com, we see no threat alert, so no triage level is set. Notice the lack of a threat.triage.level
field.
Threat Data from alamman.com has a triage level of 5
Because alamman.com is a malicious host from the zeusList
threat intel feed but is a .com
address, it's assigned threat.triage.level
of 5.
Threat Data from atmape.ru has a triage level of 10
Because atmape.ru is both a malicious host from the zeusList
threat intel feed as well as a non .com
and non .net
address, it's assigned threat.triage.level
of 10.
s{Wwwwww
We{hreatintels.hbaseT{hreatIntel.url.zeusList