Neha Sinha created METRON-441: --------------------------------- Summary: Aggregator function "MIN" does not work for threat triage Key: METRON-441 URL: https://issues.apache.org/jira/browse/METRON-441 Project: Metron Issue Type: Bug Reporter: Neha Sinha Fix For: 0.2.2BETA
The enrichment config in my deployment reads this :- ====================================================== ENRICHMENT Config: snort { "index": "snort", "batchSize": 1, "threatIntel" : { "triageConfig" : { "riskLevelRules" : { "ip_dst_addr == '192.168.138.158'" : 92.9 ,"exists(ip_dst_addr)" : 92.01 }, "aggregator" : "MIN" } } } ====================================================== The threat.triage.level value is being set to '0' though the rule condition exists(ip_dst_addr) is satisfied. Enrichment logs :- ======================================================= 2016-08-22 10:50:22.167 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found sensor enrichment config. 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found threat triage config: ThreatTriageConfig{riskLevelRules={ip_dst_addr == '192.168.138.158'=92.9, exists(ip_dst_addr)=92.01}, aggregator=MIN, aggregationConfig={}} 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as triage level 0.0 with rules ip_dst_addr == '192.168.138.158'=92.9 exists(ip_dst_addr)=92.01 ===================================================== -- This message was sent by Atlassian JIRA (v6.3.4#6332)