metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] nickwallen commented on issue #1311: METRON-685 Scores in Threat Triage should be a Stellar Statement
Date Mon, 07 Jan 2019 18:13:27 GMT
nickwallen commented on issue #1311: METRON-685 Scores in Threat Triage should be a Stellar
Statement
URL: https://github.com/apache/metron/pull/1311#issuecomment-452028532
 
 
   @ottobackwards I addressed your feedback.  Ran it up again and re-tested just to be sure.

   
   ```
   [root@node1 0.7.0]# cat triage-test.stellar
   t := THREAT_TRIAGE_INIT()
   THREAT_TRIAGE_ADD(t, {"name":"rule1", "rule":"value>10", "score":10})
   THREAT_TRIAGE_ADD(t, {"name":"rule2", "rule":"value>20", "score":"value*10"})
   THREAT_TRIAGE_PRINT(t)
   msg1 := "{ \"value\":22 }"
   msg2 := "{ \"value\":44 }"
   THREAT_TRIAGE_SCORE( msg1, t)
   THREAT_TRIAGE_SCORE( msg2, t)
   ```
   ```
   [root@node1 0.7.0]# cat triage-test.stellar | bin/stellar
   SLF4J: Class path contains multiple SLF4J bindings.
   SLF4J: Found binding in [jar:file:/usr/metron/0.7.0/lib/metron-profiler-repl-0.7.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
   SLF4J: Found binding in [jar:file:/usr/hdp/2.6.5.0-292/hadoop/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
   SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
   SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
   Stellar, Go!
   Functions are loading lazily in the background and will be unavailable until loaded fully.
   {}
   [Stellar]>>> t := THREAT_TRIAGE_INIT()
   ThreatTriage{0 rule(s)}
   [Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule1", "rule":"value>10", "score":10})
   {
     "enrichment" : {
       "fieldMap" : { },
       "fieldToTypeMap" : { },
       "config" : { }
     },
     "threatIntel" : {
       "fieldMap" : { },
       "fieldToTypeMap" : { },
       "config" : { },
       "triageConfig" : {
         "riskLevelRules" : [ {
           "name" : "rule1",
           "rule" : "value>10",
           "score" : "10"
         } ],
         "aggregator" : "MAX",
         "aggregationConfig" : { }
       }
     },
     "configuration" : { }
   }
   [Stellar]>>> THREAT_TRIAGE_ADD(t, {"name":"rule2", "rule":"value>20", "score":"value*10"})
   {
     "enrichment" : {
       "fieldMap" : { },
       "fieldToTypeMap" : { },
       "config" : { }
     },
     "threatIntel" : {
       "fieldMap" : { },
       "fieldToTypeMap" : { },
       "config" : { },
       "triageConfig" : {
         "riskLevelRules" : [ {
           "name" : "rule1",
           "rule" : "value>10",
           "score" : "10"
         }, {
           "name" : "rule2",
           "rule" : "value>20",
           "score" : "value*10"
         } ],
         "aggregator" : "MAX",
         "aggregationConfig" : { }
       }
     },
     "configuration" : { }
   }
   [Stellar]>>> THREAT_TRIAGE_PRINT(t)
   ╔═══════╤═════════╤═════════════╤══════════╤════════╗
   ║ Name  │ Comment │ Triage Rule │ Score    │ Reason ║
   ╠═══════╪═════════╪═════════════╪══════════╪════════╣
   ║ rule1 │         │ value>10    │ 10       │        ║
   ╟───────┼─────────┼─────────────┼──────────┼────────╢
   ║ rule2 │         │ value>20    │ value*10 │        ║
   ╚═══════╧═════════╧═════════════╧══════════╧════════╝
   Aggregation: MAX
   [Stellar]>>> msg1 := "{ \"value\":22 }"
   { "value":22 }
   [Stellar]>>> msg2 := "{ \"value\":44 }"
   { "value":44 }
   [Stellar]>>> THREAT_TRIAGE_SCORE( msg1, t)
   {score=220.0, aggregator=MAX, rules=[{score=10, name=rule1, rule=value>10}, {score=value*10,
name=rule2, rule=value>20}]}
   [Stellar]>>> THREAT_TRIAGE_SCORE( msg2, t)
   {score=440.0, aggregator=MAX, rules=[{score=10, name=rule1, rule=value>10}, {score=value*10,
name=rule2, rule=value>20}]}
   [Stellar]>>>
   [Stellar]>>>
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message