[jira] [Commented] (METRON-141) The ability to do threat triage

Mon, 09 May 2016 14:08:57 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15277043#comment-15277043
 ] 

ASF GitHub Bot commented on METRON-141:
---------------------------------------

Github user merrimanr commented on the pull request:

    https://github.com/apache/incubator-metron/pull/108#issuecomment-217990228
  
    +1


> The ability to do threat triage
> -------------------------------
>
>                 Key: METRON-141
>                 URL: https://issues.apache.org/jira/browse/METRON-141
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Casey Stella
>            Assignee: Casey Stella
>
> We have the ability to mark messages as part of the enrichment topology as 
> threat alerts, but we have no ability to prioritize those alerts.
> We should allow for the prioritization of messages that have some threat 
> intelligence alert via a scoring mechanism.  The one implemented here allows 
> the user to map conditions expressed via a light-weight DSL to a score and 
> allow a configurable aggregation strategy.
> The DSL to express conditions should allow for the following:
> * Referencing fields in the enriched JSON
> * Simple boolean operations: and, not, or
> * The ability to have parenthesis to make order of operations explicit
> * A fixed set of functions which take strings and return boolean (currently 
> IN_SUBNET(ip, cidr1, cidr2, ...), IS_EMPTY(str), STARTS_WITH(str, prefix), 
> ENDS_WITH(str, suffix), REGEXP_MATCH(str, pattern) )
> * A fixed set of string to string transformation functions:  TO_LOWER, 
> TO_UPPER, TRIM
> For each message, if the rule as expressed by the DSL matches on the message, 
> then we are given a list of numbers to aggregate into a single score.  
> Aggregation functions supported are as follows:
> * MAX
> * MEAN
> * POSITIVE_MEAN - the mean of the positive scores
> If an aggregated score that is positive is yielded, then a field 
> 'threat.triage.level' with the score is added to the indexed JSON.
> This configuration will be done on a per-sensor basis and added to the 
> SensorEnrichmentConfig. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to