metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nickwallen <...@git.apache.org>
Subject [GitHub] incubator-metron pull request #438: METRON-686 Record Rule Set that Fired Du...
Date Mon, 13 Feb 2017 21:22:28 GMT
Github user nickwallen commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/438#discussion_r100901277
  
    --- Diff: metron-platform/metron-enrichment/src/main/java/org/apache/metron/enrichment/bolt/ThreatIntelJoinBolt.java
---
    @@ -133,14 +136,18 @@ public JSONObject joinMessages(Map<String, JSONObject> streamMessageMap)
{
               LOG.debug(sourceType + ": Empty rules!");
             }
     
    +        // triage the threat
             ThreatTriageProcessor threatTriageProcessor = new ThreatTriageProcessor(config,
functionResolver, stellarContext);
    -        Double triageLevel = threatTriageProcessor.apply(ret);
    +        ThreatScore score = threatTriageProcessor.apply(ret);
    +
             if(LOG.isDebugEnabled()) {
               String rules = Joiner.on('\n').join(triageConfig.getRiskLevelRules());
    -          LOG.debug("Marked " + sourceType + " as triage level " + triageLevel + " with
rules " + rules);
    +          LOG.debug("Marked " + sourceType + " as triage level " + score.getScore() +
" with rules " + rules);
             }
    -        if(triageLevel != null && triageLevel > 0) {
    -          ret.put("threat.triage.level", triageLevel);
    +
    +        // attach the triage threat score to the message
    +        if(score.getRuleScores().size() > 0) {
    +          ret.put("threat.triage.level", toMap(score));
    --- End diff --
    
    I think it makes the user's life harder if we put the rule name as part of the key.  We
would have to enforce our internal Metron conventions (no spaces, special characters, whatever)
on the user's rule set. Conventions that we could change over time and then break a user's
rule set during an upgrade.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message