lucaderi
commented
1 month ago Create a ClickHouse table used for
- mapping flow_alert_id into mitre info (scripts/lua/modules/alert_definitions/flows/)
dell.ntop.org :) select ALERT_CATEGORY,ALERTS_MAP,STATUS,ALERT_JSON from flows WHERE STATUS =71 limit 1;
SELECT ALERT_CATEGORY, ALERTS_MAP, STATUS, ALERT_JSON FROM flows WHERE STATUS = 71 LIMIT 1
Query id: 533bf866-9d97-45ef-8d76-8afa113f5ec4
┌─ALERT_CATEGORY─┬─ALERTS_MAP─────────┬─STATUS─┬─ALERT_JSON─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
- │ 3 │ 800000000000000000 │ 71 │ {"ntopng.key":2169569442,"hash_entry_id":833,"alert_generation": {"script_key":"ndpi_error_code_detected","subdir":"flow","flow_risk_info":"{\"43\":\"DNS Error Code NXDOMAIN\"}"},"proto": {"dns": {"last_query_type":1,"last_return_code":3,"last_query":"host.docker.internal"},"l7_error_code":3,"confidence":1},"traffic_stats": {},"alert_score": {"71":10},"risk_id":43} │
└────────────────┴────────────────────┴────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
STATUS is the flow_alert_id - mapping host_alert_id into mitre info (scripts/lua/modules/alert_definitions/host/)
These tables are created at (every) startup for both SQLite and ClickHouse.
Show mitre classification in alerts and allow to search