metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <>
Subject [jira] [Commented] (METRON-701) Triage Metrics Produced by the Profiler
Date Thu, 02 Mar 2017 15:18:45 GMT


ASF GitHub Bot commented on METRON-701:

Github user cestella commented on the issue:
    Yep, looks good, got my +1

> Triage Metrics Produced by the Profiler
> ---------------------------------------
>                 Key: METRON-701
>                 URL:
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Nick Allen
>            Assignee: Nick Allen
> h3. Problem
> The motivating example is that I would like to create an alert if the number of inbound
flows to any host over a 15 minute interval is abnormal.  
> The value being interrogated here, the number of inbound flows, is not a static value
contained within any single telemetry message.  This value is calculated across multiple messages
by the Profiler.  The current Threat Triage process cannot be used to interrogate values calculated
by the Profiler.
> h3. Proposed Solution
> I am proposing that we treat the Profiler as a source of telemetry.   The measurements
captured by the Profiler would be enqueued into a Kafka topic.  We would then treat those
Profiler messages like any other telemetry.  We would parse, enrich, triage, and index those
> This would have the following advantages.
> 1.  We would be able to reuse the same threat triage mechanism for values calculated
by the Profiler.
> 2.  We would be able to generate profiles from the profiled data - aka meta-profiles

This message was sent by Atlassian JIRA

View raw message