[ 
https://issues.apache.org/jira/browse/METRON-685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16177663#comment-16177663
 ] 

Simon Elliston Ball commented on METRON-685:
--------------------------------------------

I would agree that it should be limited to numbers, and possibly in a given 
range eg. [-100, 100]. Not sure about integers though. There's a lot to be said 
for accepting real numbers rather than just integers in this use case (which is 
roughly speaking multiply the literal score by some scaling factor. Forcing 
integers would lose precision around the aggregation in a weird way. 

> Scores in Threat Triage should be a Stellar Statement
> -----------------------------------------------------
>
>                 Key: METRON-685
>                 URL: https://issues.apache.org/jira/browse/METRON-685
>             Project: Metron
>          Issue Type: Improvement
>    Affects Versions: 0.3.0
>            Reporter: Simon Elliston Ball
>
> When writing threat triage rules I would like the score for a rule to be 
> determined by a stellar statement, rather than a fixed number triggered by a 
> boolean stellar statement.
> For example: 
> {code}
> "triageConfig" : {
>  "riskLevelRules" : [
>    {
>      "name" : "Abnormal Value",
>      "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d',
> hostname, value, value_threshold)"
>      "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold",
>      "score" : "SOME_STELLAR_FUNCTION(value)"
>    }
>  ],
>  "aggregator" : "MAX"
> }
> {code}
> Note that in this scenario it would also be beneficial to cache part of the 
> statement to avoid likely duplication between rule and score evaluation. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to