Sounds like what you're trying to do is apply different threat scores based on a user identified at the parser or enrichment stage. What I would do is to add the scoring factor as an enrichment, and then make the final threat triage expression a combination of the rest result called by the enrichment, and whatever the threat would have been from other sources, or potentially just use enrichment calls the whole rest piece and keep the threat triage simple. This may not work if you absolutely need it to be post threat Intel, in which case, as others have suggested, a stellar function may be the answer.
Simon > On 30 Dec 2016, at 20:08, Otto Fowler <[email protected]> wrote: > > Or a Maas service? > > > On December 30, 2016 at 13:52:06, [email protected] ([email protected]) wrote: > > Depending on the details it sounds like a much simpler solution would be to > handle this in a Stellar function. > > Jon > >> On Fri, Dec 30, 2016, 13:27 Tyler Moore <[email protected]> wrote: >> >> Happy Holidays Metron Devs! >> >> Could anyone lend me some guidance on customizing the storm topologies in >> metron? What I am am trying to accomplish: >> >> 1) Add a method to the threat intel joiner bolt that sends an http post >> with the score of the threat to a remote rest api. This will conditionally >> trigger notifications based on user settings in another database (the >> backend processing logic is on another platform). >> The score should be available within the JSONObject but I am not an expert >> with storm and I am not completely understanding what conditions constitute >> when the threat feed is considered an "alert" in metron. Please clarify. >> >> 2) How would I add an external dependency, my http rest java class, to the >> metron maven build process? More specifically, if I was adding a custom >> class that needed accessed by a bolt in storm, how would I add this in >> maven as a dependency. I have limited experience with maven but, my >> understanding is that I would add it to the pom.xml and recompile. >> Although, the metron quick dev platform is built on a vm, would I need to >> account for this? Please advise. >> >> Regards, >> >> Tyler Moore >> >> >> Software Engineer >> Phone: 248-909-2769 >> Email: [email protected] >> > -- > > Jon > > Sent from my mobile device
