Details
-
Improvement
-
Status: Done
-
Major
-
Resolution: Done
-
0.3.0
-
None
Description
When writing threat triage rules I would like the score for a rule to be determined by a stellar statement, rather than a fixed number triggered by a boolean stellar statement.
For example:
"triageConfig" : { "riskLevelRules" : [ { "name" : "Abnormal Value", "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d', hostname, value, value_threshold)" "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold", "score" : "SOME_STELLAR_FUNCTION(value)" } ], "aggregator" : "MAX" }
Note that in this scenario it would also be beneficial to cache part of the statement to avoid likely duplication between rule and score evaluation.
Attachments
Issue Links
- links to