Versions Compared

Old Version 5

changes.mady.by.user George Vetticaden

Saved on

compared with

New Version 6

changes.mady.by.user George Vetticaden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Log into the $HOST_WITH_ENRICHMENT_TAG as root
  2. Run the loader

         /usr/metron/$METRON_RELEASE/bin/flatfile_loader.sh -n enrichment_config.json -i domainblocklist.csv -t threatintel -c t -e extractor_config.json

  3. After this, the threat intel data will be loaded in Hbase and a Zookeeper mapping will be established. The data will be populated into Hbase table called threatintel. To verify that the logs were properly ingested into Hbase run the following command: 

        hbase shell
        scan 'threatintel'

  4. Now check if Zookeeper enrichment tag was properly populated:  

       /usr/metron/$METRON_RELEASE/bin/zk_load_configs.sh -m DUMP -z $ZOOKEEPER_HOST:2181

  5. You should see a config for the squid sensor something like the following: 
  6. Generate some data by using the squid client to execute http requests (do this about 20 times)

        squidclient http://www.actdhaka.com

Step

...

6: View the Threat Alerts in Metron UI

When the logs are ingested we get messages that has a hit against threat intel:

Image Removed

Notice a couple of characteristics about this message. It has is_alert=true, which designates it as an alert message.

Now that we have alerts coming through we need to visualize them in Kibana. First, we need to setup a pinned query to look for messages where is_alert=true:

Image Removed

And then once we point the alerts table to this pinned query it looks like this:

Now that we have configured real-time threat intel cross referencing so that alerts get generated when there is a hit for the squid sensor, lets render these alerts on the Metron UI. We will be adding 32new panels to visualize the Squid Alerts:  Creating a Threat Intel Hits Count Pane and Alert Detail Panel.

Creating a Threat Intel Hits Count Panel 

  1. Log into the Metron UI Dashboard: http://METRON_UI_HOST:5000
  2. Select "Visualize" Tab --> Select "Metric" Visualization"= --> Select "From a new search" for Search Source --> Select "squid*" index source
  3. In the search box, enter "is_alert =  true" and execute search
  4.  Click the Save disk icon on the top right and name  the Visualization "Threat Intel Hits" and click Save
  5. Select "Dashboard" Tab --> Click the plus icon --> Select "Visualization" tab --> Search for "Squid Event Count" --> Select it
  6. The visualization will be added to the bottom of the dashboard
  7. Click the save icon on the top right to save the dashboard.

 

Creating an Alert Detail Panel 

  1. Log into the Metron UI Dashboard: http://METRON_UI_HOST:5000
  2. Select "Discover" Tab --> Select the "squid*" index
  3. Search only for alerts in the squid index
    1. Type the following in search "is_alert = true" 
    2. click the search icon
  4. Now we only to select subset of the fields that we want to display in the detail panel. In the left hand panel under "Available Fields", "add" the following fields:
    1. full_hostname
    2. ip_src_addr
    3. ip_dst_addr
    4. original_string
    5. method
    6. type

Dashboard with the 2 Panels

The following is what the new dashboard would look like with those 2 panels. 

Image Added

 

 Image Removed