Details
-
Bug
-
Status: Done
-
Major
-
Resolution: Done
-
None
-
None
Description
The enrichment config in my deployment reads this :-
======================================================
ENRICHMENT Config: snort
{
"index": "snort",
"batchSize": 1,
"threatIntel" : {
"triageConfig" : {
"riskLevelRules" :
,
"aggregator" : "MIN"
}
}
}
======================================================
The threat.triage.level value is being set to '0' though the rule condition exists(ip_dst_addr) is satisfied.
Enrichment logs :-
=======================================================
2016-08-22 10:50:22.167 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found sensor enrichment config.
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found threat triage config: ThreatTriageConfig{riskLevelRules=
, aggregator=MIN, aggregationConfig={}}
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as triage level 0.0 with rules ip_dst_addr == '192.168.138.158'=92.9
exists(ip_dst_addr)=92.01
=====================================================
Attachments
Issue Links
- links to