metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (METRON-141) The ability to do threat triage
Date Mon, 09 May 2016 21:03:12 GMT

    [ https://issues.apache.org/jira/browse/METRON-141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15277032#comment-15277032
] 

ASF GitHub Bot commented on METRON-141:
---------------------------------------

Github user merrimanr commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/108#discussion_r62572579
  
    --- Diff: metron-platform/metron-enrichment/src/main/java/org/apache/metron/enrichment/bolt/EnrichmentJoinBolt.java
---
    @@ -84,7 +88,7 @@ public JSONObject joinMessages(Map<String, JSONObject> streamMessageMap)
{
         if(sourceType != null) {
           SensorEnrichmentConfig config = configurations.getSensorEnrichmentConfig(sourceType);
           if (config != null) {
    -        return config.getEnrichmentFieldMap();
    +        return config.getEnrichment().getFieldMap();
    --- End diff --
    
    Does this introduce the possibility of a null pointer exception?


> The ability to do threat triage
> -------------------------------
>
>                 Key: METRON-141
>                 URL: https://issues.apache.org/jira/browse/METRON-141
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Casey Stella
>            Assignee: Casey Stella
>
> We have the ability to mark messages as part of the enrichment topology as threat alerts,
but we have no ability to prioritize those alerts.
> We should allow for the prioritization of messages that have some threat intelligence
alert via a scoring mechanism.  The one implemented here allows the user to map conditions
expressed via a light-weight DSL to a score and allow a configurable aggregation strategy.
> The DSL to express conditions should allow for the following:
> * Referencing fields in the enriched JSON
> * Simple boolean operations: and, not, or
> * The ability to have parenthesis to make order of operations explicit
> * A fixed set of functions which take strings and return boolean (currently IN_SUBNET(ip,
cidr1, cidr2, ...), IS_EMPTY(str), STARTS_WITH(str, prefix), ENDS_WITH(str, suffix), REGEXP_MATCH(str,
pattern) )
> * A fixed set of string to string transformation functions:  TO_LOWER, TO_UPPER, TRIM
> For each message, if the rule as expressed by the DSL matches on the message, then we
are given a list of numbers to aggregate into a single score.  Aggregation functions supported
are as follows:
> * MAX
> * MEAN
> * POSITIVE_MEAN - the mean of the positive scores
> If an aggregated score that is positive is yielded, then a field 'threat.triage.level'
with the score is added to the indexed JSON.
> This configuration will be done on a per-sensor basis and added to the SensorEnrichmentConfig.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message