[METRON-685] Scores in Threat Triage should be a Stellar Statement - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Done
Priority: Major
Resolution: Done
Affects Version/s: 0.3.0
Fix Version/s: 0.7.1
Labels:
None

Description

When writing threat triage rules I would like the score for a rule to be determined by a stellar statement, rather than a fixed number triggered by a boolean stellar statement.

For example:

"triageConfig" : {
 "riskLevelRules" : [
   {
     "name" : "Abnormal Value",
     "comment" : "FORMAT('For %s; the value %s exceeds threshold of %d',
hostname, value, value_threshold)"
     "rule" : "SOME_STELLAR_FUNCTION(value) > value_threshold",
     "score" : "SOME_STELLAR_FUNCTION(value)"
   }
 ],
 "aggregator" : "MAX"
}

Note that in this scenario it would also be beneficial to cache part of the statement to avoid likely duplication between rule and score evaluation.

Attachments

Issue Links

links to

GitHub Pull Request #1311

Activity

People

Assignee:: Nick Allen

Reporter:: Simon Elliston Ball

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 02/Feb/17 14:38

Updated:: 23/Apr/19 19:52

Resolved:: 19/Feb/19 21:17

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

3h 10m