[jira] [Commented] (METRON-701) Triage Metrics Produced by the Profiler

Tue, 28 Feb 2017 08:09:14 -0800 

    [ 
https://issues.apache.org/jira/browse/METRON-701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15888332#comment-15888332
 ] 

ASF GitHub Bot commented on METRON-701:
---------------------------------------

Github user cestella commented on the issue:

    https://github.com/apache/incubator-metron/pull/449
  
    Looks great, quick question.  If I submit a profile that looks like:
    ```
    {
      "profiles": [
        {
          "profile": "test",
          "foreach": "'global'",
          "onlyif": "source.type == 'bro'",
          "init":    { "count": "0" },
          "update":  { "count": "count + 1" },
          "result": {
              "profile": "count",
              "triage": "{ 'blah' : count, 'zork' : 'zork'}"
          }
        }
      ]
    }
    ```
    Will I get messages in kafka that look like:
    ```
    {"period.start":1488233820000
    ,"period":24803897
    ,"profile":"test"
    ,"blah":161
    ,"zork":"zork"
    ,"period.end":1488233880000
    ,"is_alert":"true"
    ,"entity":"global"
    ,"timestamp":1488233841600
    ,"source.type":"profiler"
    }
    ```
    
    I think that's an important aspect as people will probably want to submit 
multiple things to further triage or give context since they cannot send along 
our summary objects.
    
    
    Also, if someone tries to submit something that JSON can't handle (like a 
stats object), will it get dropped or will an exception occur?


> Triage Metrics Produced by the Profiler
> ---------------------------------------
>
>                 Key: METRON-701
>                 URL: https://issues.apache.org/jira/browse/METRON-701
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Nick Allen
>            Assignee: Nick Allen
>
> h3. Problem
> The motivating example is that I would like to create an alert if the number 
> of inbound flows to any host over a 15 minute interval is abnormal.  
> The value being interrogated here, the number of inbound flows, is not a 
> static value contained within any single telemetry message.  This value is 
> calculated across multiple messages by the Profiler.  The current Threat 
> Triage process cannot be used to interrogate values calculated by the 
> Profiler.
> h3. Proposed Solution
> I am proposing that we treat the Profiler as a source of telemetry.   The 
> measurements captured by the Profiler would be enqueued into a Kafka topic.  
> We would then treat those Profiler messages like any other telemetry.  We 
> would parse, enrich, triage, and index those messages.
> This would have the following advantages.
> 1.  We would be able to reuse the same threat triage mechanism for values 
> calculated by the Profiler.
> 2.  We would be able to generate profiles from the profiled data - aka 
> meta-profiles anyone? 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to