-
Notifications
You must be signed in to change notification settings - Fork 512
METRON-675: Make Threat Triage rules able to be assigned names and comments #426
Conversation
Testing Instructions beyond the normal smoke test (i.e. letting data PreliminariesIt is helpful to install the elasticsearch head plugin:
Also, set an environment variable to indicate
Adjust configs to BroWe will adjust the bro topology to have a couple of threat triage rules:
This should create 2 rules:
Ensure via the elasticsearch head plugin that the following is true:
Test Case: Stellar Management Functions
|
+1 Works great. Spun everything up, followed your script, created my own triage rules and validated the scoring. The 'RiskLevelRule' POJO certainly makes things a little cleaner. As a random side note, will be really cool when the aggregation of the scores is just Stellar code, rather than MAX or SUM. This would allow us to plug-in a real model for scoring the alerts. |
@nickwallen Agreed on the aggregator being stellar. I created https://issues.apache.org/jira/browse/METRON-683 for it |
There may be many, many threat triage rules. To help organize these, we should make them slightly more complex than a simple key/value as we have it now. We should add optional name and optional comment fields.
This essentially makes the risk level rules slightly more complex. The format goes from:
to:
This is NOT backwards compatible, but I think it's more explicit and a bit more clear.
Testing plan to come in a follow-on comment.