Would it be accurate to summarize what you're looking to do as - configure Metron to take a mitigating action in response to a tuple meeting a conditional? In your case you're looking to do an API call to another system if, say, threat score is > 90 and a user was identified during enrichment (for example), but logically this could be something as simple as kicking off a script.
Just want to make sure I'm clear on what you're looking to do - if that's correct, I actually have the exact same use case on my to do list and a while back I opened METRON-571 <https://issues.apache.org/jira/browse/METRON-571> with the thought that a first step in this direction would be to have Stellar handle the conditional and kick off a script (providing it arguments pulled from the tuple) which handles the API integration. Thanks, Jon On Fri, Dec 30, 2016 at 3:51 PM Tyler Moore <[email protected]> wrote: > It would be executed after threat intel / triage scoring. > > Could you give an example of either solution? > I did look into using stellar functions but wasn't sure how to call a > seperate method using stellar, how would I would I make the new method > accessible using stellar functions? > > Regards, > > Tyler Moore > Software Engineer > Phone: 248-909-2769 <(248)%20909-2769> > Email: [email protected] > > > On Fri, Dec 30, 2016 at 3:08 PM, Otto Fowler <[email protected]> > wrote: > > > Or a Maas service? > > > > > > On December 30, 2016 at 13:52:06, [email protected] ([email protected]) > > wrote: > > > > Depending on the details it sounds like a much simpler solution would be > to > > handle this in a Stellar function. > > > > Jon > > > > On Fri, Dec 30, 2016, 13:27 Tyler Moore <[email protected]> wrote: > > > > > Happy Holidays Metron Devs! > > > > > > Could anyone lend me some guidance on customizing the storm topologies > in > > > metron? What I am am trying to accomplish: > > > > > > 1) Add a method to the threat intel joiner bolt that sends an http post > > > with the score of the threat to a remote rest api. This will > > conditionally > > > trigger notifications based on user settings in another database (the > > > backend processing logic is on another platform). > > > The score should be available within the JSONObject but I am not an > > expert > > > with storm and I am not completely understanding what conditions > > constitute > > > when the threat feed is considered an "alert" in metron. Please > clarify. > > > > > > 2) How would I add an external dependency, my http rest java class, to > > the > > > metron maven build process? More specifically, if I was adding a custom > > > class that needed accessed by a bolt in storm, how would I add this in > > > maven as a dependency. I have limited experience with maven but, my > > > understanding is that I would add it to the pom.xml and recompile. > > > Although, the metron quick dev platform is built on a vm, would I need > to > > > account for this? Please advise. > > > > > > Regards, > > > > > > Tyler Moore > > > > > > > > > Software Engineer > > > Phone: 248-909-2769 <(248)%20909-2769> > > > Email: [email protected] > > > > > -- > > > > Jon > > > > Sent from my mobile device > > > -- Jon Sent from my mobile device
