Hi lmori,
Do you mean something like this:
conditions: - type == 'THREAT' - severity == 'critical' - src_zone == 'WAN' fields:
- "log_subtype"
- "threat_name" indicators: - src_ip
I had 2 "high" severity and one "critical" events in the threat log since yesterday, and the counter this morning is still at zero hits.
This is the config currently (/opt/minemeld/local/config/syslog-miner_rules.yml):
- conditions: [type == 'THREAT', log_subtype == 'vulnerability', severity == 'high', src_zone == 'WAN'] fields: null indicators: [src_ip] name: threats-ALL-high - conditions: [type == 'THREAT', log_subtype == 'vulnerability', severity == 'critical', src_zone == 'WAN'] fields: null indicators: [src_ip] name: threats-ALL-critical
** edit 2:
Got a few pages of "high" severity threat this morning (TID 40007). No hits on the syslog miner node.
... View more