...
- Log into the $HOST_WITH_ENRICHMENT_TAG as root
- Run the loader
/usr/metron/$METRON_RELEASE/bin/flatfile_loader.sh -n enrichment_config.json -i domainblocklist.csv -t threatintel -c t -e extractor_config.json
- After this, the threat intel data will be loaded in Hbase and a Zookeeper mapping will be established. The data will be populated into Hbase table called threatintel. To verify that the logs were properly ingested into Hbase run the following command:
hbase shell
scan 'threatintel' - Now check if Zookeeper enrichment tag was properly populated:
/usr/metron/$METRON_RELEASE/bin/zk_load_configs.sh -m DUMP -z $ZOOKEEPER_HOST:2181
- You should see a config for the squid sensor something like the following:
- Generate some data by using the squid client to execute http requests (do this about 20 times)
squidclient http://www.actdhaka.com
Step
...
6: View the Threat Alerts in Metron UI
When the logs are ingested we get messages that has a hit against threat intel:
Notice a couple of characteristics about this message. It has is_alert=true, which designates it as an alert message.
Now that we have alerts coming through we need to visualize them in Kibana. First, we need to setup a pinned query to look for messages where is_alert=true:
And then once we point the alerts table to this pinned query it looks like this:
Now that we have configured real-time threat intel cross referencing so that alerts get generated when there is a hit for the squid sensor, lets render these alerts on the Metron UI. We will be adding 32new panels to visualize the Squid Alerts: Creating a Threat Intel Hits Count Pane and Alert Detail Panel.
Creating a Threat Intel Hits Count Panel
- Log into the Metron UI Dashboard: http://METRON_UI_HOST:5000
- Select "Visualize" Tab --> Select "Metric" Visualization"= --> Select "From a new search" for Search Source --> Select "squid*" index source
- In the search box, enter "is_alert = true" and execute search
- Click the Save disk icon on the top right and name the Visualization "Threat Intel Hits" and click Save
- Select "Dashboard" Tab --> Click the plus icon --> Select "Visualization" tab --> Search for "Squid Event Count" --> Select it
- The visualization will be added to the bottom of the dashboard
- Click the save icon on the top right to save the dashboard.
Creating an Alert Detail Panel
- Log into the Metron UI Dashboard: http://METRON_UI_HOST:5000
- Select "Discover" Tab --> Select the "squid*" index
- Search only for alerts in the squid index
- Type the following in search "is_alert = true"
- click the search icon
- Now we only to select subset of the fields that we want to display in the detail panel. In the left hand panel under "Available Fields", "add" the following fields:
- full_hostname
- ip_src_addr
- ip_dst_addr
- original_string
- method
- type
Dashboard with the 2 Panels
The following is what the new dashboard would look like with those 2 panels.