metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Casey Stella (JIRA)" <>
Subject [jira] [Created] (METRON-141) The ability to do threat triage
Date Fri, 06 May 2016 21:39:13 GMT
Casey Stella created METRON-141:

             Summary: The ability to do threat triage
                 Key: METRON-141
             Project: Metron
          Issue Type: New Feature
            Reporter: Casey Stella
            Assignee: Casey Stella

We have the ability to mark messages as part of the enrichment topology as threat alerts,
but we have no ability to prioritize those alerts.

We should allow for the prioritization of messages that have some threat intelligence alert
via a scoring mechanism.  The one implemented here allows the user to map conditions expressed
via a light-weight DSL to a score and allow a configurable aggregation strategy.

The DSL to express conditions should allow for the following:
* Referencing fields in the enriched JSON
* Simple boolean operations: and, not, or
* The ability to have parenthesis to make order of operations explicit
* A fixed set of functions which take strings and return boolean (currently IN_SUBNET(ip,
cidr1, cidr2, ...), IS_EMPTY(str), STARTS_WITH(str, prefix), ENDS_WITH(str, suffix), REGEXP_MATCH(str,
pattern) )
* A fixed set of string to string transformation functions:  TO_LOWER, TO_UPPER, TRIM

For each message, if the rule as expressed by the DSL matches on the message, then we are
given a list of numbers to aggregate into a single score.  Aggregation functions supported
are as follows:
* POSITIVE_MEAN - the mean of the positive scores

If an aggregated score that is positive is yielded, then a field 'threat.triage.level' with
the score is added to the indexed JSON.

This configuration will be done on a per-sensor basis and added to the SensorEnrichmentConfig.

This message was sent by Atlassian JIRA

View raw message