metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <>
Subject [jira] [Commented] (METRON-141) The ability to do threat triage
Date Mon, 09 May 2016 21:00:15 GMT


ASF GitHub Bot commented on METRON-141:

Github user merrimanr commented on a diff in the pull request:
    --- Diff: metron-platform/metron-common/src/test/java/org/apache/metron/common/cli/
    @@ -74,7 +74,7 @@ public void test() throws Exception {
    -  @Test
    +  /*@Test
    --- End diff --
    Should we remove this instead of commenting out?

> The ability to do threat triage
> -------------------------------
>                 Key: METRON-141
>                 URL:
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Casey Stella
>            Assignee: Casey Stella
> We have the ability to mark messages as part of the enrichment topology as threat alerts,
but we have no ability to prioritize those alerts.
> We should allow for the prioritization of messages that have some threat intelligence
alert via a scoring mechanism.  The one implemented here allows the user to map conditions
expressed via a light-weight DSL to a score and allow a configurable aggregation strategy.
> The DSL to express conditions should allow for the following:
> * Referencing fields in the enriched JSON
> * Simple boolean operations: and, not, or
> * The ability to have parenthesis to make order of operations explicit
> * A fixed set of functions which take strings and return boolean (currently IN_SUBNET(ip,
cidr1, cidr2, ...), IS_EMPTY(str), STARTS_WITH(str, prefix), ENDS_WITH(str, suffix), REGEXP_MATCH(str,
pattern) )
> * A fixed set of string to string transformation functions:  TO_LOWER, TO_UPPER, TRIM
> For each message, if the rule as expressed by the DSL matches on the message, then we
are given a list of numbers to aggregate into a single score.  Aggregation functions supported
are as follows:
> * MAX
> * MEAN
> * POSITIVE_MEAN - the mean of the positive scores
> If an aggregated score that is positive is yielded, then a field 'threat.triage.level'
with the score is added to the indexed JSON.
> This configuration will be done on a per-sensor basis and added to the SensorEnrichmentConfig.

This message was sent by Atlassian JIRA

View raw message