[
https://issues.apache.org/jira/browse/METRON-685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16176545#comment-16176545
]
Jasper Knulst edited comment on METRON-685 at 9/22/17 3:05 PM:
---------------------------------------------------------------
This would be a great improvement over the static "score : 10" triage
assignments. The score field only support integer values now.
Supporting Stellar in the score assignments would make this much more powerful
and flexible. You could potentially capture many, many static rules in just 1
by getting creative with Stellar functions for setting the score
UPVOTE
was (Author: jasperknulst):
This would be a great improvement over the static "score : 10" triage
assignments. The score field only support integer values now.
Supporting Stellar in the score assignments would make this much more powerful
and flexible.
UPVOTE
> Scores in Threat Triage should be a Stellar Statement
> -----------------------------------------------------
>
> Key: METRON-685
> URL: https://issues.apache.org/jira/browse/METRON-685
> Project: Metron
> Issue Type: Improvement
> Affects Versions: 0.3.0
> Reporter: Simon Elliston Ball
>
> When writing threat triage rules I would like the score for a rule to be
> determined by a stellar statement, rather than a fixed number triggered by a
> boolean stellar statement.
> For example:
> {code}
> "triageConfig" : {
> "riskLevelRules" : [
> {
> "name" : "Abnormal Value",
> "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d',
> hostname, value, value_threshold)"
> "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold",
> "score" : "SOME_STELLAR_FUNCTION(value)"
> }
> ],
> "aggregator" : "MAX"
> }
> {code}
> Note that in this scenario it would also be beneficial to cache part of the
> statement to avoid likely duplication between rule and score evaluation.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
