Understanding Threat Triage Rule Configuration
The goal of threat triage is to prioritize the alerts that pose the greatest threat and need urgent attention. To create a threat triage rule configuration, you must first define your rules. Each rule has a predicate to determine whether or not the rule applies. The threat score from each applied rule is aggregated into a single threat triage score that is used to prioritize high risk threats.
Following are some examples:
- Rule 1
If a threat intelligence enrichment type zeusList is alerted, imagine that you want to receive an alert score of 5.
- Rule 2
If the URL ends with neither .com nor .net, then imagine that you want to receive an alert score of 10.
- Rule 3
For each message, the triage score is the maximum score across all conditions.
These example rules become the following example configuration:
“triageConfig” : {
“riskLevelRules” : [
{
“name” : “zeusList is alerted"
“comment” : “Threat intelligence enrichment type zeusList is alerted."
“rule”: "exists(threatintels.hbaseThreatIntel.domain_without_subdomains.zeusList)”
“score” : 5
}
{
“name” : “Does not end with .com or .net"
“comment” : “The URL ends with neither .com nor .net."
“rule”: “not(ENDS_WITH(domain_without_subdomains, ‘.com’) or ENDS_WITH(domain_without_subdomains, ‘.net’))“ : 10
“score” : 10
}
]
,“aggregator” : “MAX”
,”aggregationConfig” : { }
}
You can use the reason field to generate a message explaining why
a rule fired. One or more rules may fire when triaging a threat. Having detailed,
contextual information about the environment when a rule fired can greatly assist
actioning the alert. For example:
- Rule 1
For hostname, if the value exceeds threshold of value-threshold, then it receives an alert score of 10.
This example rule becomes the following example configuration:
“triageConfig” : {
“riskLevelRules” : [
{
“name” : “Abnormal Value"
“comment” : “The value has exceeded the threshold",
"reason": "FORMAT('For '%s' the value '%d' exceeds threshold of '%d', hostname, value, value_threshold)"
“rule”: "value > value_threshold”,
“score” : 10
}
],
“aggregator” : “MAX”,
”aggregationConfig” : { }
}
If the value threshold is exceeded, Threat Triage will generate a message similar to the following:
"threat.triage.score": 10.0, "threat.triage.rules.0.name": "Abnormal Value", "threat.triage.rules.0.comment": "The value has exceeded the threshold", "threat.triage.rules.0.score": 10.0, "threat.triage.rules.0.reason": "For '10.0.0.1' the value '101' exceeds threshold of '42'"
where
- riskLevelRules
This is a list of rules (represented as Stellar expressions) associated with scores with optional names and comments.
- name
The name of the threat triage rule
- comment
A comment describing the rule
- reason
An optional Stellar expression that when executed results in a custom message describing why the rule fired
- rule
The rule, represented as a Stellar statement
- score
Associated threat triage score for the rule.
- aggregator
An aggregation function that takes all non-zero scores representing the matching queries from
riskLevelRulesand aggregates them into a single scoreYou can choose between:
- MAX
The maximum of all of the associated values for matching queries
- MIN
The minimum of all of the associated values for matching queries
- MEAN
the mean of all of the associated values for matching queries
- POSITIVE_MEAN
The mean of the positive associated values for the matching queries