User Guide

Vertex-Triage User Guide

Vertex-Triage adds new Storm commands and Workflows to manage queues and tasks.

Getting Started

Check with your Admin to enable permissions.

Examples

Create a new queue

Queues can also be created via the dedicated workflow.

> vertex.triage.queue.add alerts --desc "A queue for work items relating to alerts"
proj:project=dea0ea86a8a9d0d2feb0cadb92fccbb8
        .created = 2024/05/08 16:35:49.755
        :created = 2024/05/08 16:35:49.794
        :creator = b06eb289d50a67d608a532c1311e1e6a
        :desc = A queue for work items relating to alerts
        :name = alerts

Create a new task within the “alerts” queue that references a risk:alert node

Tasks can also be created from a Node Action in the Research Tool.

> risk:alert#newalerts | vertex.triage.task.add alerts "alert investigation" --assignee visi --yield
proj:ticket=a2697bd37b209986eb123c0fa9e30784
        .created = 2024/05/08 16:35:50.007
        :assignee = 43fd8e1f2eb26df4c5dbdac76de52788
        :created = 2024/05/08 16:35:49.998
        :creator = b06eb289d50a67d608a532c1311e1e6a
        :name = alert investigation
        :priority = medium
        :project = dea0ea86a8a9d0d2feb0cadb92fccbb8
        :status = new
        :type = task
        :updated = 2024/05/08 16:35:49.998

Create a trigger to add a task when media:news:title is set and contains a keyword

This example creates a new task when :title contains the keyword malware, and adds it to the malware queue. The title is used to populate the task name.

> trigger.add prop:set --prop media:news:title
--query { +:title~=malware | vertex.triage.task.add malware `triage "{:title}"` }
Added trigger: 212b96d5db31ef6d08cad5bb79255bfc

> [ media:news=* :title="an article about malware" ]
media:news=05479691af29de9642f770ec6f1bfb9a
        .created = 2024/05/08 16:35:50.381
        :title = an article about malware

> proj:project:name=malware -> proj:ticket
proj:ticket=d4641e5529b2bdaf08bf2aaf1b5ea1c2
        .created = 2024/05/08 16:35:50.565
        :created = 2024/05/08 16:35:50.555
        :creator = b06eb289d50a67d608a532c1311e1e6a
        :name = triage "an article about malware"
        :priority = medium
        :project = 835780244467b5685e48d04e7ab554ad
        :status = new
        :type = task
        :updated = 2024/05/08 16:35:50.555

The task will also have a reference to the inbound node.

> proj:project:name=malware -> proj:ticket -(refs)> *
media:news=05479691af29de9642f770ec6f1bfb9a
        .created = 2024/05/08 16:35:50.381
        :title = an article about malware

Create a cron to check an external system and create a task based on the results

This example calls a placeholder module, and creates tasks in the extsys queue. A similar ingest routine could be written for calling an HTTP API.

> cron.add --hour +8 {
    $mod = $lib.import(somemodule)
    $data = $mod.getData()
    for $item in $data {
      vertex.triage.task.add extsys $item.name --desc $item.details
    }
  }
Created cron job: cd8bab224a56084e7323818bd165168a

Use of meta:source nodes

Vertex-Triage uses a meta:source node and -(seen)> light weight edges to track created nodes.

> meta:source=62cbf38be08a5fc8933790a68c41d103
meta:source=62cbf38be08a5fc8933790a68c41d103
        .created = 2024/05/08 16:35:49.730
        :name = vertex-triage