Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate Mitre Att&ck in Alerts #8489

Open
lucaderi opened this issue Jul 3, 2024 · 1 comment
Open

Integrate Mitre Att&ck in Alerts #8489

lucaderi opened this issue Jul 3, 2024 · 1 comment
Assignees
@lucaderi
Labels
Enhancement
Milestone
6.2-stable

Comments

@lucaderi
Copy link
Member

lucaderi commented Jul 3, 2024

Show mitre classification in alerts and allow to search
@lucaderi lucaderi added this to the 6.2-stable milestone Jul 3, 2024
@lucaderi lucaderi self-assigned this Jul 17, 2024
@lucaderi
Copy link
Member Author

Create a ClickHouse table used for

  • mapping flow_alert_id into mitre info (scripts/lua/modules/alert_definitions/flows/)
dell.ntop.org :) select ALERT_CATEGORY,ALERTS_MAP,STATUS,ALERT_JSON from flows WHERE STATUS =71 limit 1;

SELECT
    ALERT_CATEGORY,
    ALERTS_MAP,
    STATUS,
    ALERT_JSON
FROM flows
WHERE STATUS = 71
LIMIT 1

Query id: 533bf866-9d97-45ef-8d76-8afa113f5ec4

   ┌─ALERT_CATEGORY─┬─ALERTS_MAP─────────┬─STATUS─┬─ALERT_JSON─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
1. │              3 │ 800000000000000000 │     71 │ {"ntopng.key":2169569442,"hash_entry_id":833,"alert_generation": {"script_key":"ndpi_error_code_detected","subdir":"flow","flow_risk_info":"{\"43\":\"DNS Error Code NXDOMAIN\"}"},"proto": {"dns": {"last_query_type":1,"last_return_code":3,"last_query":"host.docker.internal"},"l7_error_code":3,"confidence":1},"traffic_stats": {},"alert_score": {"71":10},"risk_id":43} │
   └────────────────┴────────────────────┴────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

STATUS is the flow_alert_id

  • mapping host_alert_id into mitre info (scripts/lua/modules/alert_definitions/host/)

These tables are created at (every) startup for both SQLite and ClickHouse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucaderi lucaderi

Labels
Enhancement
Projects
None yet
Milestone
6.2-stable
Development

No branches or pull requests
1 participant
@lucaderi