THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
So, where we left off in part 4 was a working threat intelligence enrichment. Now, let's see if we can triage those threats for the squid data flowing through. In particular, let's triage the threat alerts for the squidsensor data higher under the following conditions:
- Rule 1: If the threat intel enrichment type
zeusListas defined in part 4 is alerted, then we want to consider that an alert of score of 5 - Rule 2: If the
urlis neither a.comnor a.net, then we want to consider that alert a score of 10
For each message we will assign the maximum score across all conditions as the triage score. This translates into the following configuration:
Step 3: Upload the threat triage configuration to Zookeeper
...