-
Notifications
You must be signed in to change notification settings - Fork 509
METRON-685 Scores in Threat Triage should be a Stellar Statement #1311
Conversation
@nickwallen, i just did a clean checkout of your pr ( in tmp dir, not my repo ), and did vagrant up which worked.
|
How are you running it |
I spun it up in Full Dev from my feature branch. No libraries or dependencies changed, so maybe this is something that is already in master. I'll take a look. |
Usually I run as root in Full Dev. Any difference if you start stellar as 'root'? |
let me try |
same issue running as root using sudo su - to get there |
I'll spin it up again and try to replicate. Thanks for giving it a go. |
I don't know how grok came into this. |
Yes, this is an issue in master. I opened a JIRA and am working on a fix. Glad you found that. |
@nickwallen stellar is still crashing for me. You changed the metron-common script, but https://github.com/apache/metron/tree/master/metron-stellar/stellar-common/src/main/scripts/deployed is the script I think you need to change. I'm pretty sure I verified your first fix, and then you made the parsers->parsing change after. I'm going to test after manually changing the stellar file. |
After making the changes, everything works as described in the steps. I'll try to do a code review. |
In the code, if find the use of |
Hi @ottobackwards, I will need to merge master into this PR to take advantage of #1312. I am traveling right now, but will do so when I return. Since #1312 was merged I am assuming this is no longer a problem in master. Let me know if that is incorrect. |
@ottobackwards I addressed your feedback. Ran it up again and re-tested just to be sure.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great work @nickwallen +1
Allows a threat triage rule's score to be expressed as either a numeric value or a Stellar expression.
The change is backwards compatible. Users will not have to alter their existing triage rules.
The 'score' expression has access to all of the fields contained within the message being triaged.
Testing
Create a threat triage engine.
Add a triage rule that uses a simple numeric score. This is the existing behavior that continues to be supported.
Add another triage rule that uses a score expression. This will simply make the score 10 times the value contained in the message.
Review the rules that you have created.
Create a few test messages to simulate your telemetry.
Score a message based on the rules that have been defined. The result allows you to see the total score, the aggregator, along with details about each rule that fired.
Pull Request Checklist