Neha Sinha created METRON-441:
---------------------------------
Summary: Aggregator function "MIN" does not work for threat triage
Key: METRON-441
URL: https://issues.apache.org/jira/browse/METRON-441
Project: Metron
Issue Type: Bug
Reporter: Neha Sinha
Fix For: 0.2.2BETA
The enrichment config in my deployment reads this :-
======================================================
ENRICHMENT Config: snort
{
"index": "snort",
"batchSize": 1,
"threatIntel" : {
"triageConfig" : {
"riskLevelRules" : {
"ip_dst_addr == '192.168.138.158'" : 92.9
,"exists(ip_dst_addr)" : 92.01
},
"aggregator" : "MIN"
}
}
}
======================================================
The threat.triage.level value is being set to '0' though the rule condition
exists(ip_dst_addr) is satisfied.
Enrichment logs :-
=======================================================
2016-08-22 10:50:22.167 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found
sensor enrichment config.
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found
threat triage config: ThreatTriageConfig{riskLevelRules={ip_dst_addr ==
'192.168.138.158'=92.9, exists(ip_dst_addr)=92.01}, aggregator=MIN,
aggregationConfig={}}
2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as
triage level 0.0 with rules ip_dst_addr == '192.168.138.158'=92.9
exists(ip_dst_addr)=92.01
=====================================================
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
