I've ingested threat logs from PaloAlto in a HCP environment and they appear in Elesticsearch/Kibana. So far so good...
Currently none of the events appear in the Metron Alerts UI. I've tried configuring threat triage rules an give scores to events based on content of a field (severity). The scores are visible in Elasticsearch entries, but still no alerts are triggered.
A second thin I've tried is adding a field (IsAlert, is_alert, alert) and set it to true using field transformations. This is also visible in Elasticsearch, but still no luck on the Metron Alerts UI...
Anybody any advise on how I can configure my sensor to make all the events comming from PaloAlto Threat logs visible in the Metron Alerts UI?
Some extra information:
events are ingested using a dedicated kafka topic for paloalto threat logs
Metron sensor uses the built-in BasicPaloAltoFirewallParser (Java)
Any help is more than welcome as this is giving me some headaces the last couple of days :-)
In case anyone has the same issue. The problem was fixed by creating a mapping for the doc's stored in Elasticsearch.
The important part in that mapping is that a field exists which is called 'alert' and is of the 'nested' type.