[jira] [Updated] (METRON-685) Scores in Threat Triage should be a Stellar Statement

Simon Elliston Ball (JIRA) Thu, 02 Feb 2017 06:40:37 -0800

     [ 
https://issues.apache.org/jira/browse/METRON-685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Simon Elliston Ball updated METRON-685:
---------------------------------------
    Description: 
When writing threat triage rules I would like the score for a rule to be 
determined by a stellar statement, rather than a fixed number triggered by a 
boolean stellar statement.

For example: 
{code}
"triageConfig" : {
 "riskLevelRules" : [
   {
     "name" : "Abnormal Value",
     "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d',
hostname, value, value_threshold)"
     "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold",
     "score" : "SOME_STELLAR_FUNCTION(value)"
   }
 ],
 "aggregator" : "MAX"
}
{code}

Note that in this scenario it would also be beneficial to cache part of the 
statement to avoid likely duplication between rule and score evaluation. 

  was:
When writing threat triage rules I would like the score for a rule to be 
determined by a stellar statement, rather than a fixed number triggered by a 
boolean stellar statement.

For example: 
{code:json}
"triageConfig" : {
 "riskLevelRules" : [
   {
     "name" : "Abnormal Value",
     "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d',
hostname, value, value_threshold)"
     "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold",
     "score" : "SOME_STELLAR_FUNCTION(value)"
   }
 ],
 "aggregator" : "MAX"
}
{code}

Note that in this scenario it would also be beneficial to cache part of the 
statement to avoid likely duplication between rule and score evaluation. 


> Scores in Threat Triage should be a Stellar Statement
> -----------------------------------------------------
>
>                 Key: METRON-685
>                 URL: https://issues.apache.org/jira/browse/METRON-685
>             Project: Metron
>          Issue Type: Improvement
>    Affects Versions: 0.3.0
>            Reporter: Simon Elliston Ball
>
> When writing threat triage rules I would like the score for a rule to be 
> determined by a stellar statement, rather than a fixed number triggered by a 
> boolean stellar statement.
> For example: 
> {code}
> "triageConfig" : {
>  "riskLevelRules" : [
>    {
>      "name" : "Abnormal Value",
>      "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d',
> hostname, value, value_threshold)"
>      "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold",
>      "score" : "SOME_STELLAR_FUNCTION(value)"
>    }
>  ],
>  "aggregator" : "MAX"
> }
> {code}
> Note that in this scenario it would also be beneficial to cache part of the 
> statement to avoid likely duplication between rule and score evaluation. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (METRON-685) Scores in Threat Triage should be a Stellar Statement

Reply via email to