Administration
Also available as:
PDF
loading table of contents...

Viewing Triaged or Scored Alerts

You can view triaged alerts in the indexing topic in Kafka or in the triaged alert panel in the HCP Metron dashboard.

An alert in the indexing topic in Kafka will appear similar to the following:

> THREAT_TRIAGE_PRINT(conf)
╔═══════════════════╤═════════╤══════════════════════════════════════════════════════════════════╤═══════╤═══════════════════════════════════════════════════════════════════════════════════╗
║ Name │ Comment │ Triage Rule │ Score │ Reason ║
╠═══════════════════╪═════════╪══════════════════════════════════════════════════════════════════╪═══════╪═══════════════════════════════════════════════════════════════════════════════════╣
║ Abnormal DNS Port │ │ source.type == "bro" and protocol == "dns" and ip_dst_port != 53 │ 10 │ FORMAT("Abnormal DNS Port: expected: 53, found: %s:%d", ip_dst_addr, ip_dst_port) ║
╚═══════════════════╧═════════╧═══════════════════════════

The following figure shows you an example of a triaged alert panel in the HCP Metron dashboard. For URLs from cnn.com, no threat alert is shown, so no triage level is set. Notice the lack of a threat.triage.level field:

Figure 3.20. Investigation Module Triaged Alert Panel