[
https://issues.apache.org/jira/browse/METRON-685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176545#comment-16176545
]
Jasper Knulst commented on METRON-685:
--------------------------------------
This would be a great improvement over the static "score : 10" triage
assignments. The score field only support integer values now.
Supporting Stellar in the score assignments would make this much more powerful
and flexible.
UPVOTE
> Scores in Threat Triage should be a Stellar Statement
> -----------------------------------------------------
>
> Key: METRON-685
> URL: https://issues.apache.org/jira/browse/METRON-685
> Project: Metron
> Issue Type: Improvement
> Affects Versions: 0.3.0
> Reporter: Simon Elliston Ball
>
> When writing threat triage rules I would like the score for a rule to be
> determined by a stellar statement, rather than a fixed number triggered by a
> boolean stellar statement.
> For example:
> {code}
> "triageConfig" : {
> "riskLevelRules" : [
> {
> "name" : "Abnormal Value",
> "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d',
> hostname, value, value_threshold)"
> "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold",
> "score" : "SOME_STELLAR_FUNCTION(value)"
> }
> ],
> "aggregator" : "MAX"
> }
> {code}
> Note that in this scenario it would also be beneficial to cache part of the
> statement to avoid likely duplication between rule and score evaluation.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
