[jira] [Commented] (METRON-701) Triage Metrics Produced by the Profiler

Wed, 22 Feb 2017 11:34:25 -0800 

    [ 
https://issues.apache.org/jira/browse/METRON-701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15879043#comment-15879043
 ] 

ASF GitHub Bot commented on METRON-701:
---------------------------------------

Github user cestella commented on the issue:

    https://github.com/apache/incubator-metron/pull/449
  
    Well, let me try to make the case that this is user-focused while being 
aware of the limitations of implementation. ;)
    
    The main aim for adaptability is to allow multiple representations to be 
stored in multiple datastores.  The representation has a 1 to n relationship 
with the data store, (maybe "writer" can be a list of writers or a single 
writer?).  This puts the top-level citizen as the representation associated 
with a naming about what it is intended to be used for.  Put simply, it's not 
that kafka can only handle JSON blobs, but rather it's that we need the 
kurtosis for the `kurtosis_triage` rule (by the way, `kurtosis_triage` should 
be part of the message constructed along with the `source.type` of 
`profiler`...maybe `profile.type`).


> Triage Metrics Produced by the Profiler
> ---------------------------------------
>
>                 Key: METRON-701
>                 URL: https://issues.apache.org/jira/browse/METRON-701
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Nick Allen
>            Assignee: Nick Allen
>
> h3. Problem
> The motivating example is that I would like to create an alert if the number 
> of inbound flows to any host over a 15 minute interval is abnormal.  
> The value being interrogated here, the number of inbound flows, is not a 
> static value contained within any single telemetry message.  This value is 
> calculated across multiple messages by the Profiler.  The current Threat 
> Triage process cannot be used to interrogate values calculated by the 
> Profiler.
> h3. Proposed Solution
> I am proposing that we treat the Profiler as a source of telemetry.   The 
> measurements captured by the Profiler would be enqueued into a Kafka topic.  
> We would then treat those Profiler messages like any other telemetry.  We 
> would parse, enrich, triage, and index those messages.
> This would have the following advantages.
> 1.  We would be able to reuse the same threat triage mechanism for values 
> calculated by the Profiler.
> 2.  We would be able to generate profiles from the profiled data - aka 
> meta-profiles anyone? 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to