Uploaded image for project: 'Metron'
  1. Metron
  2. METRON-685

Scores in Threat Triage should be a Stellar Statement

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Done
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 0.3.0
    • Fix Version/s: 0.7.1
    • Labels:
      None

      Description

      When writing threat triage rules I would like the score for a rule to be determined by a stellar statement, rather than a fixed number triggered by a boolean stellar statement.

      For example:

      "triageConfig" : {
       "riskLevelRules" : [
         {
           "name" : "Abnormal Value",
           "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d',
      hostname, value, value_threshold)"
           "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold",
           "score" : "SOME_STELLAR_FUNCTION(value)"
         }
       ],
       "aggregator" : "MAX"
      }
      

      Note that in this scenario it would also be beneficial to cache part of the statement to avoid likely duplication between rule and score evaluation.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                nickwallen Nick Allen
                Reporter:
                simonellistonball Simon Elliston Ball
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h 10m
                  3h 10m