THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
{...,"threatIntel" : {..., "triageConfig" : {"riskLevelRules" : [
{“name” : “ "condition1" : level1, "condition2" : level2
...
"
“comment” : “ "
“rule”: " ”
“score” :
}
,"aggregator" : "MAX"
,"aggregationConfig" : { }
}
}
}
riskLevelRules
correspond to the set of condition-to-numeric-level mappings that define the threat triage for this particular sensor.name: The name of the threat triage rule.
- comment: A comment describing the rule.
- rule: The rule, represented as a Stellar statement.
- score: Associated threat triage score for the rule.
aggregator
is an aggregation function that takes all non-zero scores representing the matching queries fromriskLevelRules
and aggregates them into a single score. The current supported aggregation functions are the following:MAX
: The max of all of the associated values for matching queries.MIN
: The min of all of the associated values for matching queries.MEAN
: The mean of all of the associated values for matching queries.POSITIVE_MEAN
: The mean of the positive associated values for the matching queries.
...
- Rule 1: If the threat intel enrichment type
zeusList
as defined in the previous article is alerted, then we want to consider that an alert score of 5. - Rule 2: If the
url
is neither a.com
nor a.net
, then we want to consider that an alert score of 10. - Rule 3: For each message, the triage score is the maximum score across all conditions.
For each message we will assign the maximum score across all conditions as the triage score. This translates into the following configuration:
Step 3: Upload the Threat Triage Configuration to Zookeeper
...