User Guide
Vertex-Triage User Guide
Vertex-Triage adds new Storm commands and Workflows to manage queues and tasks.
Getting Started
Check with your Admin to enable permissions.
Examples
Create a new queue
Queues can also be created via the dedicated workflow.
> vertex.triage.queue.add alerts --desc "A queue for work items relating to alerts"
proj:project=9082cff0f53b2f5930f2621f2960020c
.created = 2025/01/15 19:33:00.462
:created = 2025/01/15 19:33:00.463
:creator = root
:desc = A queue for work items relating to alerts
:name = alerts
Create a new task within the “alerts” queue that references a risk:alert node
Tasks can also be created from a Node Action in the Research Tool.
> risk:alert#newalerts | vertex.triage.task.add alerts "alert investigation" --assignee visi --yield
proj:ticket=18094da16e7e4584c98d53cecde6ea7b
.created = 2025/01/15 19:33:00.691
:assignee = visi
:created = 2025/01/15 19:33:00.682
:creator = root
:name = alert investigation
:priority = medium
:project = 9082cff0f53b2f5930f2621f2960020c
:status = new
:type = task
:updated = 2025/01/15 19:33:00.682
Create a trigger to add a task when media:news:title
is set and contains a keyword
This example creates a new task when :title
contains the keyword malware
,
and adds it to the malware
queue. The title is used to populate the task name.
> trigger.add prop:set --prop media:news:title
--query { +:title~=malware | vertex.triage.task.add malware `triage "{:title}"` }
Added trigger: 3da0f2cd4e084ffa55966aa62aa5b601
> [ media:news=* :title="an article about malware" ]
media:news=5a406a1ef2b6e5df2512f5dc634d04c2
.created = 2025/01/15 19:33:00.997
:title = an article about malware
> proj:project:name=malware -> proj:ticket
proj:ticket=3fec4252094a0b48fc53908e3dd12535
.created = 2025/01/15 19:33:01.188
:created = 2025/01/15 19:33:01.177
:creator = root
:name = triage "an article about malware"
:priority = medium
:project = d4f03ca927a73aa0ccd1de29eb799715
:status = new
:type = task
:updated = 2025/01/15 19:33:01.177
The task will also have a reference to the inbound node.
> proj:project:name=malware -> proj:ticket -(refs)> *
media:news=5a406a1ef2b6e5df2512f5dc634d04c2
.created = 2025/01/15 19:33:00.997
:title = an article about malware
Create a cron to check an external system and create a task based on the results
This example calls a placeholder module, and creates tasks in the extsys
queue.
A similar ingest routine could be written for calling an HTTP API.
> cron.add --hour +8 {
$mod = $lib.import(somemodule)
$data = $mod.getData()
for $item in $data {
vertex.triage.task.add extsys $item.name --desc $item.details
}
}
Created cron job: f99506fcc8d5c7d427aa065ddd028722
Use of meta:source
nodes
Vertex-Triage uses a meta:source
node and -(seen)>
light
weight edges to track created nodes.
> meta:source=62cbf38be08a5fc8933790a68c41d103
meta:source=62cbf38be08a5fc8933790a68c41d103
.created = 2025/01/15 19:33:00.437
:name = vertex-triage