Actually, and I am shocked to find myself saying this, MaaS won't help you here. ;) I don't think the current system can encode your desire. Just in case I'm being dense, though, would you give us a concrete example with some rules and how you'd like the score aggregated?
On Thu, Jun 22, 2017 at 8:07 PM, Ali Nazemian <[email protected]> wrote: > Thanks, Casey and Nick. Is there any way that we can somehow overcome this > requirement with the current features? Exclude MAAS. > > On Thu, Jun 22, 2017 at 11:42 PM, Nick Allen <[email protected]> wrote: > >> Ali - >> >> Here are some issues in JIRA related to this topic. Feel free to add >> commentary or specifics of your use case to either of these issues. >> Feedback will only help improve the final result. >> >> https://issues.apache.org/jira/browse/METRON-683 >> https://issues.apache.org/jira/browse/METRON-685 >> >> >> Thanks >> >> >> >> On Thu, Jun 22, 2017 at 9:31 AM, Casey Stella <[email protected]> wrote: >> >>> That's correct that it's the last step. Honestly, the threat triage >>> functions were added prior to Stellar really being a thing. We should >>> allow arbitrary stellar statements in there rather than a fixed approach, >>> so it's pluggable. >>> >>> On Thu, Jun 22, 2017 at 3:50 AM, Ali Nazemian <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> I know there are four different Treat Triage aggregation functions we >>>> can use for the case of triggering multiple rules. These functions are >>>> "max', "min", "mean", "positive mean". I was wondering whether there is any >>>> way I can implement the following logic with the Treat Triage functions for >>>> a non-deterministic score. >>>> >>>> In the case that a specific rule is triggered, I want to boost the >>>> final result of Treat Triage score with a specific value. For example +20 >>>> to the score or multiply that by a specific value! >>>> >>>> Treat Triage is the last bolt in enrichment topology so it seems I >>>> cannot have any additional enrichment/transformation based on the score >>>> value. Is that right? >>>> >>>> Regards, >>>> Ali >>>> >>> >>> >> > > > -- > A.Nazemian >
