Nick Allen created METRON-686:
---------------------------------
Summary: Record of Rule Set that Fired During Threat Triage
Key: METRON-686
URL: https://issues.apache.org/jira/browse/METRON-686
Project: Metron
Issue Type: Improvement
Reporter: Nick Allen
Assignee: Nick Allen
h3. Problem
There is little transparency into the Threat Triage process itself. When
Threat Triage runs, all I get is a score. I don't know how that score was
arrived at, which rules were triggered, and the specific values that caused a
rule to trigger.
More specifically, there is no way to generate a message that looks like "The
host 'powned.svr.bank.com' has '230' inbound flows, exceeding the threshold of
'202'". This makes it difficult for an analyst to action the alert.
h3. Proposed Solution
To improve the transparency of the Threat Triage process, I am proposing these
enhancements.
(1) Threat Triage should attach to each message all of the rules that fired in
addition to the total calculated threat triage score.
(2) Threat Triage should allow a custom message to be generated for each rule.
The custom message would allow for some form of string interpolation so that I
can add specific values from each message to the generated alert. We could
allow this in one or both of the new fields that Casey just added, name and
comment.
(3) The specific method of string interpolation will be implemented under a
separate issue.
h3. Example
(1) In this example, we have a telemetry message with a field called 'value'
that we need to monitor. In Enrichment, I calculate some sort of value
threshold, over which an alert should be generated.
(2) In Threat Triage, I use the calculated value threshold to alert on any
message that has a value exceeding this threshold.
(3) I can embed values from the message, like the hostname, value, and value
threshold, into the alert produced by Threat Triage. Notice that I am using
{noformat}${this}{noformat} for string interpolation, but it could be any
syntax that we choose.
{code}
"triageConfig" : {
"riskLevelRules" : [
{
"name" : "Abnormal Value",
"comment" : "For ${hostname}; the value ${value} exceeds threshold of
${value_threshold}",
"rule" : "value > value_threshold",
"score" : 10
}
],
"aggregator" : "MAX"
}
{code}
(4) The Threat Triage process today would add only the total calculated score.
{code}
"threat.triage.level": 10.0
{code}
With this proposal, Threat Triage would add the following to the message.
Notice how each of the {noformat}${variables}{noformat} have been replaced with
the actual values extracted from the message. This allows for more contextual
information to action the alert.
{code}
"threat.triage": {
"score": 10.0,
"rules": [
{
"name": "Abnormal Value",
"comment" : "For 10.0.0.1; the value 101 exceeds threshold of 42",
"score" : 10
}
]
}
{code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
