metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Sirota (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (METRON-170) Ability for metron users to author rules (Queries) to generate alerts without deploying code (Batch Rules Engine)
Date Thu, 02 Jun 2016 06:03:59 GMT

     [ https://issues.apache.org/jira/browse/METRON-170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James Sirota updated METRON-170:
--------------------------------
    Labels: ForwardLookingEpic elasticsearch hive ruleengine rules solr spark  (was: elasticsearch
hive ruleengine rules solr spark)

> Ability for metron users to author rules (Queries) to generate alerts without deploying
code (Batch Rules Engine)
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: METRON-170
>                 URL: https://issues.apache.org/jira/browse/METRON-170
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Zafer Bilaloglu
>            Priority: Critical
>              Labels: ForwardLookingEpic, elasticsearch, hive, ruleengine, rules, solr,
spark
>   Original Estimate: 500h
>  Remaining Estimate: 500h
>
> The primary purpose for a rules engine for Apache Metron would be to allow Metron users
to author rules that then generate alerts for SIC analysts to investigate. Typical enterprises
have hundreds of rules (dozens for each data source) and need the flexibility to alter rules
as needed without deploying code to production.  Rules would run on a schedule in batch mode
and perform predefined action such as generating an alert.
> Here are some example rules we'd like to be able to run in metron with the rule syntax
written in SQL:
> | Rule Description |	Rule Syntax |	Schedule |
> | Mcafee epo log entry notifies us a malware delete failed | 	Select * from mcafee where
event_description = “Malware Delete Failed”	| Run every 5 minutes and for new data in
the previous 5 minutes. | 
> | Multiple malware events for a single user within a short period of time | 	Select count(
* ) as avcount, user from mcafee group by user, dest_ip, os where category like 'av.%' and
avcount > 8 | Run every 60 minutes for the previous 60 minutes | 
> Users should have a front end to author rules, decide on a schedule, and configure an
alert priority, rule description, and the action to perform(alert, e:
> Here is a sample mockup:
> !http://i.imgur.com/0sbNXPp.png!
> The batch rules engine would fire recurring queries against data at rest in one of the
existing Metron datastores (Solr, Hive, Elasticsearch) that will then  perform predefined
action such as generating an alert, running a script (python), or kicking off packet capture.
 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message