Ali - Here are some issues in JIRA related to this topic. Feel free to add commentary or specifics of your use case to either of these issues. Feedback will only help improve the final result.
https://issues.apache.org/jira/browse/METRON-683 https://issues.apache.org/jira/browse/METRON-685 Thanks On Thu, Jun 22, 2017 at 9:31 AM, Casey Stella <[email protected]> wrote: > That's correct that it's the last step. Honestly, the threat triage > functions were added prior to Stellar really being a thing. We should > allow arbitrary stellar statements in there rather than a fixed approach, > so it's pluggable. > > On Thu, Jun 22, 2017 at 3:50 AM, Ali Nazemian <[email protected]> > wrote: > >> Hi all, >> >> I know there are four different Treat Triage aggregation functions we can >> use for the case of triggering multiple rules. These functions are "max', >> "min", "mean", "positive mean". I was wondering whether there is any way I >> can implement the following logic with the Treat Triage functions for a >> non-deterministic score. >> >> In the case that a specific rule is triggered, I want to boost the final >> result of Treat Triage score with a specific value. For example +20 to the >> score or multiply that by a specific value! >> >> Treat Triage is the last bolt in enrichment topology so it seems I cannot >> have any additional enrichment/transformation based on the score value. Is >> that right? >> >> Regards, >> Ali >> > >
