Versions Compared

Old Version 2

changes.mady.by.user George Vetticaden

Saved on

compared with

New Version 3

changes.mady.by.user George Vetticaden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • MAX : The max of all of the associated values for matching queries
  • MIN : The min of all of the associated values for matching queries
  • MEAN : The mean of all of the associated values for matching queries
  • POSITIVE_MEAN : The mean of the positive associated values for the matching queries.

Step 1: Setup and Pre-requisites

  1. You should have completed the instructions in Adding a new Telemetry Data Source
  2. Make sure the following variables are configured based on your environment: 


    KAFKA_HOST = host where a Kafka broker is installed
    ZOOKEEPER_HOST = host where a Zookeeper server is installed
    PROBE_HOST = Host where your sensor, probes are installed. If don't have any sensors installed, pick the host where a storm supervisor is running
    SQUID_HOST = Host where you want to install SQUID. If you don't care, just install on the PROBE_HOST
    NIFI_HOST = The host where you will install NIFI. You want this this to be same host that you installed Squid.
    HOST_WITH_ENRICHMENT_TAG = This is the host in your inventory hosts file that you put under the group "enrichment" 
    SEARCH_HOST = This is the host where you have elastic or solr running. This is the host in your inventory hosts file that you put under the group "search". Pick one of the search hosts
    SEARCH_HOST_PORT = The port of the search host where indexing is configured. (e.g: 9300)
    METRON_UI_HOST = This is the host where your metron ui web application is running. This is the host in your inventory hosts file that you put under the group "web".
    METRON_VERSION = The release of the metron binaries you are working with (e.g: 0.2.0BETA-RC2)

Step 2: Create the Threat Triage Rule Configuration

So, where we left off in part 4 was a working threat intelligence enrichment.  Now, let's see if we can triage those threats for the squid data flowing through.  In particular, let's triage the threat alerts for the squidsensor data higher under the following conditions:

...

{
  ...
  ,"threatIntel" : {
            ...
           , "triageConfig" : {
                     "riskLevelRules" : {
                                 "exists(threatintels.hbaseThreatIntel.url.zeusList)" : 5
                               , "not(ENDS_WITH(url, '.com') or ENDS_WITH(url, '.net'))" : 10
                                        }
                     ,"aggregator" : "MAX"
                             }
                  }
}

Step

...

3: Upload the threat triage configuration to Zookeeper

In order to apply this triage configuration, we must modify the configuration for the squid sensor in the enrichment topology.  To do this, we should modify /usr/metron/0.1BETA/config/zookeeper/sensors/squid.json on node1  However, since the configuration in zookeeper may have be out of sync with the configuration on disk, we must make sure they are in sync by executing the following command:

...

Now, if we check the squid index using the elasticsearch head plugin, we can see the threats triage as we would expect:

Step

...

4: View Triaged/Scored Alerts

View Non Threat Data

For URL's from cnn.com, we see no threat alert, so no triage level is set.  Notice the lack of a threat.triage.level field.

...