[ https://issues.apache.org/jira/browse/METRON-685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176545#comment-16176545 ]
Jasper Knulst commented on METRON-685: -------------------------------------- This would be a great improvement over the static "score : 10" triage assignments. The score field only support integer values now. Supporting Stellar in the score assignments would make this much more powerful and flexible. UPVOTE > Scores in Threat Triage should be a Stellar Statement > ----------------------------------------------------- > > Key: METRON-685 > URL: https://issues.apache.org/jira/browse/METRON-685 > Project: Metron > Issue Type: Improvement > Affects Versions: 0.3.0 > Reporter: Simon Elliston Ball > > When writing threat triage rules I would like the score for a rule to be > determined by a stellar statement, rather than a fixed number triggered by a > boolean stellar statement. > For example: > {code} > "triageConfig" : { > "riskLevelRules" : [ > { > "name" : "Abnormal Value", > "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d', > hostname, value, value_threshold)" > "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold", > "score" : "SOME_STELLAR_FUNCTION(value)" > } > ], > "aggregator" : "MAX" > } > {code} > Note that in this scenario it would also be beneficial to cache part of the > statement to avoid likely duplication between rule and score evaluation. -- This message was sent by Atlassian JIRA (v6.4.14#64029)