[ https://issues.apache.org/jira/browse/METRON-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15589094#comment-15589094 ]
ASF GitHub Bot commented on METRON-441: --------------------------------------- Github user james-sirota commented on the issue: https://github.com/apache/incubator-metron/pull/309 +1 > Aggregator function "MIN" does not work for threat triage > --------------------------------------------------------- > > Key: METRON-441 > URL: https://issues.apache.org/jira/browse/METRON-441 > Project: Metron > Issue Type: Bug > Reporter: Neha Sinha > Assignee: Casey Stella > Fix For: 0.2.2BETA > > > The enrichment config in my deployment reads this :- > ====================================================== > ENRICHMENT Config: snort > { > "index": "snort", > "batchSize": 1, > "threatIntel" : { > "triageConfig" : { > "riskLevelRules" : { > "ip_dst_addr == '192.168.138.158'" : 92.9 > ,"exists(ip_dst_addr)" : 92.01 > }, > "aggregator" : "MIN" > } > } > } > ====================================================== > The threat.triage.level value is being set to '0' though the rule condition > exists(ip_dst_addr) is satisfied. > Enrichment logs :- > ======================================================= > 2016-08-22 10:50:22.167 o.a.m.w.BulkWriterComponent [DEBUG] Acking 1 tuples > 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found > sensor enrichment config. > 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] snort: Found > threat triage config: ThreatTriageConfig{riskLevelRules={ip_dst_addr == > '192.168.138.158'=92.9, exists(ip_dst_addr)=92.01}, aggregator=MIN, > aggregationConfig={}} > 2016-08-22 10:50:22.167 o.a.m.e.b.ThreatIntelJoinBolt [DEBUG] Marked snort as > triage level 0.0 with rules ip_dst_addr == '192.168.138.158'=92.9 > exists(ip_dst_addr)=92.01 > ===================================================== -- This message was sent by Atlassian JIRA (v6.3.4#6332)